Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe

Overview

General Information

Sample name:1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
Analysis ID:1578899
MD5:b109b6b9485443491013e40fcc73ae5c
SHA1:5834449d4c050d5728118fc8db318ba4f4d10044
SHA256:453b0540237bb16db04d003e1e608ff89d1d749d8e2828edfbd1cd1b97b5ff75
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["brideeded.duckdns.org:3421:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QYW18E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x146f8:$a1: Remcos restarted by watchdog!
              • 0x14c70:$a3: %02i:%02i:%02i:%03i
              00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 34 entries
                SourceRuleDescriptionAuthorStrings
                0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaf8:$a1: Remcos restarted by watchdog!
                      • 0x6b070:$a3: %02i:%02i:%02i:%03i
                      0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64e04:$str_b2: Executing file:
                      • 0x65c3c:$str_b3: GetDirectListeningPort
                      • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65780:$str_b7: \update.vbs
                      • 0x64e2c:$str_b9: Downloaded file:
                      • 0x64e18:$str_b10: Downloading file:
                      • 0x64ebc:$str_b12: Failed to upload file:
                      • 0x65c04:$str_b13: StartForward
                      • 0x65c24:$str_b14: StopForward
                      • 0x656d8:$str_b15: fso.DeleteFile "
                      • 0x6566c:$str_b16: On Error Resume Next
                      • 0x65708:$str_b17: fso.DeleteFolder "
                      • 0x64eac:$str_b18: Uploaded file:
                      • 0x64e6c:$str_b19: Unable to delete:
                      • 0x656a0:$str_b20: while fso.FileExists("
                      • 0x65349:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 25 entries

                      Stealing of Sensitive Information

                      barindex
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 7C 6C EE B0 60 00 DE AF 59 3D A0 9D BC EC 82 12 AE 04 16 E3 98 90 F1 3E 3B 83 02 60 FC EB 13 1B 2E 78 B2 CB D9 09 34 25 AD 68 4B A2 2F 73 9B 8E 1C 42 AC FE E8 60 60 5C D2 A5 FF 43 D2 21 F2 70 37 E5 F1 4C 68 38 30 BB 4F 39 F7 86 48 3E 72 82 F5 93 A9 A9 80 CB 91 79 B3 CE 24 1F 7C 4F 0D 55 2E 2D 4C 01 31 BA 9B 11 F7 F9 E4 46 1C 94 8B 78 52 74 04 A1 B9 B1 FE 97 B5 46 0F 50 7C 5A 26 C7 12 10 52 AF A6 EA 13 DA 51 C2 32 C6 A6 5A E9 A1 10 20 9E 75 74 AA 3A C6 35 09 3E 6A 51 5E AD 95 26 4C 00 75 FF 2D C3 A7 DC 0C 65 AC 04 F7 32 23 85 D8 FA AA 7A F2 8F BA 4D 37 02 48 9A 92 55 54 AE 3E D7 DA 00 22 81 4B 74 9F 7D 87 79 C2 92 E6 09 FE 9E 68 62 18 6A 05 E6 9C 69 06 41 87 82 71 1A 2C 88 5E 08 AD F5 2A DD 9E 31 6C , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, ProcessId: 6156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-QYW18E\exepath
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T16:26:04.320581+010020365941Malware Command and Control Activity Detected192.168.2.54970431.13.224.723421TCP
                      2024-12-20T16:26:07.273843+010020365941Malware Command and Control Activity Detected192.168.2.54970531.13.224.723421TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T16:26:06.966456+010028033043Unknown Traffic192.168.2.549706178.237.33.5080TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeAvira: detected
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["brideeded.duckdns.org:3421:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QYW18E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeReversingLabs: Detection: 71%
                      Source: Yara matchFile source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481470481.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTR
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,2_2_00404423
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e7daf3d9-8

                      Exploits

                      barindex
                      Source: Yara matchFile source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10006580 FindFirstFileExA,0_2_10006580
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,2_2_0040AE51
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407EF8
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407898
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49705 -> 31.13.224.72:3421
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 31.13.224.72:3421
                      Source: Malware configuration extractorURLs: brideeded.duckdns.org
                      Source: unknownDNS query: name: brideeded.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 31.13.224.72:3421
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 31.13.224.72 31.13.224.72
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: SARNICA-ASBG SARNICA-ASBG
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482493915.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000003.2189545904.000000000093D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000003.2189545904.000000000093D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482194404.0000000003530000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482194404.0000000003530000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: brideeded.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481470481.000000000072F000.00000004.00000020.00020000.00000000.sdmp, bhvDE62.tmp.2.drString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2133006404.0000000000728000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000730000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2193349054.000000000072D000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2194669214.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481470481.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-nt&&
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpD
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2133006404.0000000000728000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpUi
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2133006404.0000000000728000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000730000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2193349054.000000000072D000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2194669214.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481470481.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gplcn
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178295911.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178351436.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178295911.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178351436.0000000000AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482493915.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482493915.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: bhvDE62.tmp.2.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190013601.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhvDE62.tmp.2.drString found in binary or memory: https://www.office.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_0040987A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,2_2_004098E2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_00406DFC
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00406E9F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,4_2_004068B5
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_004072B5
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                      Source: Yara matchFile source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481470481.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                      System Summary

                      barindex
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_00417245
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00401806 NtdllDefWindowProc_W,2_2_00401806
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004018C0 NtdllDefWindowProc_W,2_2_004018C0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004016FD NtdllDefWindowProc_A,3_2_004016FD
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004017B7 NtdllDefWindowProc_A,3_2_004017B7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00402CAC NtdllDefWindowProc_A,4_2_00402CAC
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00402D66 NtdllDefWindowProc_A,4_2_00402D66
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043651C0_2_0043651C
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004367C60_2_004367C6
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00436A8D0_2_00436A8D
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00436D480_2_00436D48
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_100171940_2_10017194
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_1000B5C10_2_1000B5C1
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044B0402_2_0044B040
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0043610D2_2_0043610D
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004473102_2_00447310
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044A4902_2_0044A490
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040755A2_2_0040755A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0043C5602_2_0043C560
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044B6102_2_0044B610
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044D6C02_2_0044D6C0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004476F02_2_004476F0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044B8702_2_0044B870
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044081D2_2_0044081D
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004149572_2_00414957
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004079EE2_2_004079EE
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00407AEB2_2_00407AEB
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044AA802_2_0044AA80
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00412AA92_2_00412AA9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00404B742_2_00404B74
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00404B032_2_00404B03
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044BBD82_2_0044BBD8
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00404BE52_2_00404BE5
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00404C762_2_00404C76
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00415CFE2_2_00415CFE
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00416D722_2_00416D72
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00446D302_2_00446D30
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00446D8B2_2_00446D8B
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00406E8F2_2_00406E8F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004050383_2_00405038
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0041208C3_2_0041208C
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004050A93_2_004050A9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0040511A3_2_0040511A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0043C13A3_2_0043C13A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004051AB3_2_004051AB
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004493003_2_00449300
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0040D3223_2_0040D322
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0044A4F03_2_0044A4F0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0043A5AB3_2_0043A5AB
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004136313_2_00413631
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004466903_2_00446690
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0044A7303_2_0044A730
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004398D83_2_004398D8
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_004498E03_2_004498E0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0044A8863_2_0044A886
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0043DA093_2_0043DA09
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00438D5E3_2_00438D5E
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00449ED03_2_00449ED0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0041FE833_2_0041FE83
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00430F543_2_00430F54
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004050C24_2_004050C2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004014AB4_2_004014AB
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004051334_2_00405133
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004051A44_2_004051A4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004012464_2_00401246
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_0040CA464_2_0040CA46
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004052354_2_00405235
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004032C84_2_004032C8
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004222D94_2_004222D9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004016894_2_00401689
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00402F604_2_00402F60
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 004169A7 appears 87 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 004165FF appears 35 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 00413025 appears 79 times
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: String function: 00416760 appears 69 times
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2195170292.000000000078B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2193349054.0000000000773000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2194451054.0000000000796000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482493915.000000000363B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeBinary or memory string: OriginalFileName vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeBinary or memory string: OriginalFilename vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,2_2_004182CE
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,4_2_00410DE1
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,2_2_00418758
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-QYW18E
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bhvDE62.tmpJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Rmc-QYW18E0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Rmc-QYW18E0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: 0?o0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: 0?o0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: licence0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: User0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000003.00000002.2176902433.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482194404.0000000003530000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000003.2189278581.0000000002214000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000003.2186490810.0000000002212000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2191732163.0000000002214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeReversingLabs: Detection: 71%
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe "C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe"
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\smneazorfckbjbutbkwjb"
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\doaxbszlbkcgthrfkvjdmoalt"
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\nifpbkkmpsusvnfjcgeeptnccmmr"
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\smneazorfckbjbutbkwjb"Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\doaxbszlbkcgthrfkvjdmoalt"Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\nifpbkkmpsusvnfjcgeeptnccmmr"Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.cfgJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeUnpacked PE file: 2.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeUnpacked PE file: 3.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeUnpacked PE file: 4.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10002806 push ecx; ret 0_2_10002819
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10013E74 push ecx; retf 0_2_10013F2B
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044693D push ecx; ret 2_2_0044694D
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044DB70 push eax; ret 2_2_0044DB84
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0044DB70 push eax; ret 2_2_0044DBAC
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00451D54 push eax; ret 2_2_00451D61
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0044B090 push eax; ret 3_2_0044B0A4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_0044B090 push eax; ret 3_2_0044B0CC
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00451D34 push eax; ret 3_2_00451D41
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00444E71 push ecx; ret 3_2_00444E81
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00414060 push eax; ret 4_2_00414074
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00414060 push eax; ret 4_2_0041409C
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00414039 push ecx; ret 4_2_00414049
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_004164EB push 0000006Ah; retf 4_2_004165C4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00416553 push 0000006Ah; retf 4_2_004165C4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00416555 push 0000006Ah; retf 4_2_004165C4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeWindow / User API: threadDelayed 3240Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeWindow / User API: threadDelayed 6745Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53413
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeAPI coverage: 9.9 %
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe TID: 6504Thread sleep count: 3240 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe TID: 6504Thread sleep time: -9720000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe TID: 6504Thread sleep count: 6745 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe TID: 6504Thread sleep time: -20235000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10006580 FindFirstFileExA,0_2_10006580
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,2_2_0040AE51
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407EF8
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407898
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_00418981 memset,GetSystemInfo,2_2_00418981
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2193349054.0000000000773000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.4044736726.0000000000773000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080442200.0000000000773000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481470481.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481681445.0000000000773000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: bhvDE62.tmp.2.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-54062
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]0_2_10004AB4
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,0_2_00410B19
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100060E2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002639
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002B1C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_00417245
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\smneazorfckbjbutbkwjb"Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\doaxbszlbkcgthrfkvjdmoalt"Jump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeProcess created: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\nifpbkkmpsusvnfjcgeeptnccmmr"Jump to behavior
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481574953.0000000000751000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.4044660881.0000000000751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481574953.0000000000751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerA
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481574953.0000000000751000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.4044660881.0000000000751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerT
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481574953.0000000000751000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.4044660881.0000000000751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481574953.0000000000751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managery
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: 2_2_0041739B GetVersionExW,2_2_0041739B
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481470481.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: \key3.db0_2_0040B335
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: ESMTPPassword3_2_004033F0
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword3_2_00402DB3
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword3_2_00402DB3
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-QYW18EJump to behavior
                      Source: Yara matchFile source: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481470481.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6156, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 3060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe PID: 5736, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeCode function: cmd.exe0_2_00405042
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API
                      1
                      DLL Side-Loading
                      1
                      DLL Side-Loading
                      1
                      Deobfuscate/Decode Files or Information
                      2
                      OS Credential Dumping
                      2
                      System Time Discovery
                      Remote Services11
                      Archive Collected Data
                      12
                      Ingress Tool Transfer
                      Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts13
                      Command and Scripting Interpreter
                      1
                      Windows Service
                      1
                      Bypass User Account Control
                      2
                      Obfuscated Files or Information
                      111
                      Input Capture
                      1
                      Account Discovery
                      Remote Desktop Protocol1
                      Data from Local System
                      2
                      Encrypted Channel
                      Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution
                      Logon Script (Windows)1
                      Access Token Manipulation
                      1
                      Software Packing
                      2
                      Credentials in Registry
                      1
                      System Service Discovery
                      SMB/Windows Admin Shares1
                      Email Collection
                      1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service
                      1
                      DLL Side-Loading
                      3
                      Credentials In Files
                      3
                      File and Directory Discovery
                      Distributed Component Object Model111
                      Input Capture
                      1
                      Remote Access Software
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                      Process Injection
                      1
                      Bypass User Account Control
                      LSA Secrets38
                      System Information Discovery
                      SSH3
                      Clipboard Data
                      2
                      Non-Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading
                      Cached Domain Credentials31
                      Security Software Discovery
                      VNCGUI Input Capture22
                      Application Layer Protocol
                      Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Virtualization/Sandbox Evasion
                      DCSync1
                      Virtualization/Sandbox Evasion
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation
                      Proc Filesystem4
                      Process Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                      Process Injection
                      /etc/passwd and /etc/shadow1
                      Application Window Discovery
                      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery
                      Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578899 Sample: 1734707047fff7a4a195c1e7715... Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 18 brideeded.duckdns.org 2->18 20 geoplugin.net 2->20 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 34 9 other signatures 2->34 7 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe 3 13 2->7         started        signatures3 32 Uses dynamic DNS services 18->32 process4 dnsIp5 22 brideeded.duckdns.org 31.13.224.72, 3421, 49704, 49705 SARNICA-ASBG Bulgaria 7->22 24 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 7->24 36 Contains functionality to bypass UAC (CMSTPLUA) 7->36 38 Detected unpacking (changes PE section rights) 7->38 40 Detected Remcos RAT 7->40 42 8 other signatures 7->42 11 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe 1 7->11         started        14 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe 1 7->14         started        16 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe 2 7->16         started        signatures6 process7 signatures8 44 Tries to steal Instant Messenger accounts or passwords 11->44 46 Tries to harvest and steal browser information (history, passwords, etc) 11->46 48 Tries to steal Mail credentials (via file / registry access) 14->48

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                      1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe100%Joe Sandbox ML
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      178.237.33.50
                      truefalse
                        high
                        brideeded.duckdns.org
                        31.13.224.72
                        truetrue
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          brideeded.duckdns.orgtrue
                            unknown
                            http://geoplugin.net/json.gpfalse
                              high
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PbhvDE62.tmp.2.drfalse
                                high
                                https://www.office.com/bhvDE62.tmp.2.drfalse
                                  high
                                  http://www.imvu.comr1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482493915.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                    high
                                    https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhvDE62.tmp.2.drfalse
                                      high
                                      http://www.imvu.com1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178295911.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178351436.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                        high
                                        http://www.nirsoft.net1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000002.00000002.2190013601.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                          high
                                          https://aefd.nelreports.net/api/report?cat=bingaotakbhvDE62.tmp.2.drfalse
                                            high
                                            https://deff.nelreports.net/api/report?cat=msnbhvDE62.tmp.2.drfalse
                                              high
                                              http://geoplugin.net/json.gp-nt&&1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2133006404.0000000000728000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000730000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2193349054.000000000072D000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2194669214.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481470481.000000000072F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4482493915.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  high
                                                  http://geoplugin.net/json.gpD1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000751000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.google.com1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      high
                                                      https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhvDE62.tmp.2.drfalse
                                                        high
                                                        https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhvDE62.tmp.2.drfalse
                                                          high
                                                          https://aefd.nelreports.net/api/report?cat=bingaotbhvDE62.tmp.2.drfalse
                                                            high
                                                            http://geoplugin.net/json.gp/C1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exefalse
                                                              high
                                                              http://geoplugin.net/json.gpUi1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2133006404.0000000000728000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://geoplugin.net/json.gplcn1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2133006404.0000000000728000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2169686872.0000000000720000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2080099449.0000000000730000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2193349054.000000000072D000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000003.2194669214.000000000072F000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000000.00000002.4481470481.000000000072F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://maps.windows.com/windows-app-web-linkbhvDE62.tmp.2.drfalse
                                                                    high
                                                                    https://aefd.nelreports.net/api/report?cat=bingrmsbhvDE62.tmp.2.drfalse
                                                                      high
                                                                      https://www.google.com/accounts/servicelogin1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exefalse
                                                                        high
                                                                        https://login.yahoo.com/config/login1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exefalse
                                                                          high
                                                                          http://www.nirsoft.net/1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.imvu.comata1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178295911.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000003.2178351436.0000000000AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              http://www.ebuddy.com1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, 00000004.00000002.2178585632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                high
                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs
                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                31.13.224.72
                                                                                brideeded.duckdns.orgBulgaria
                                                                                48584SARNICA-ASBGtrue
                                                                                178.237.33.50
                                                                                geoplugin.netNetherlands
                                                                                8455ATOM86-ASATOM86NLfalse
                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1578899
                                                                                Start date and time:2024-12-20 16:25:11 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 7m 58s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:7
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2
                                                                                EGA Information:
                                                                                • Successful, ratio: 100%
                                                                                HCA Information:
                                                                                • Successful, ratio: 99%
                                                                                • Number of executed functions: 137
                                                                                • Number of non-executed functions: 300
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe
                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                • VT rate limit hit for: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                TimeTypeDescription
                                                                                10:26:37API Interceptor4400739x Sleep call for process: 1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe modified
                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                31.13.224.7217346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                  greatnew.docGet hashmaliciousRemcosBrowse
                                                                                    #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                      0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                        17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                            OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                              178.237.33.50SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              geoplugin.netSHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              SARNICA-ASBG17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 31.13.224.72
                                                                                              sh4.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              m68k.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              mips.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              sparc.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                              • 31.13.224.244
                                                                                              ATOM86-ASATOM86NLSHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              No context
                                                                                              No context
                                                                                              Process:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              File Type:JSON data
                                                                                              Category:dropped
                                                                                              Size (bytes):963
                                                                                              Entropy (8bit):5.0171130712019085
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:tkluWJmnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkD:qlupdbauKyGX85jvXhNlT3/7CcVKWro
                                                                                              MD5:0A55905951B6633AC409C89A600E5B38
                                                                                              SHA1:A8D63D48564E1A2F3C222B98C163E9B541042DA2
                                                                                              SHA-256:1E06332C729A91A1DBE6ABE75457CA239DAB2B3EC27E3AAC6BD57D357EF35FEC
                                                                                              SHA-512:99BE9B0C66C0C52F9F96B764146382DF6A93CF4EC053219903C2B7316136DDAA7E4510EBB5D4BADE50685C6A77F52FD81F594A22D7BF147576F464C3FAABD486
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                                                              Process:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xeebc49df, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                              Category:dropped
                                                                                              Size (bytes):17301504
                                                                                              Entropy (8bit):0.8012509657022758
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:qdfjZb5aXEY2waXEY24URlWe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:oVQ4e81ySaKKjLrONseWe
                                                                                              MD5:67CC8BBB8DE480C99027369A4B137550
                                                                                              SHA1:D0B983AF08BBAF2D411E76FDD88B9AB43BFEB334
                                                                                              SHA-256:FDF177F6CFFE8672C4FC4B7D75FC60A1D3CF8133EEFF8261A17DDED3EC8CB508
                                                                                              SHA-512:5E920EB0D5F0BC57E0CA1AB5259BAD984FC0EC788B7466E153B06AC5C8A232AA01CE7A5CAEA0F0EA5E0BF1C57B8840CB712FD6DE50AEC8D92F94F6B2344B8613
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:.I.... .......;!......E{ow("...{........................@...../....{..0....|w.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{].................................`R..0....|......................0....|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................
                                                                                              Process:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):2
                                                                                              Entropy (8bit):1.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Qn:Qn
                                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:..
                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):6.586740411906799
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              File size:493'056 bytes
                                                                                              MD5:b109b6b9485443491013e40fcc73ae5c
                                                                                              SHA1:5834449d4c050d5728118fc8db318ba4f4d10044
                                                                                              SHA256:453b0540237bb16db04d003e1e608ff89d1d749d8e2828edfbd1cd1b97b5ff75
                                                                                              SHA512:aac6c408e60a6dbe4fc551cb8fc1120e8414eaf38cb751e066253680990c1256247c5f97a8b5e9cc62fb46ae34de063820d69674ab78831a0ecc78d00b6d661b
                                                                                              SSDEEP:12288:buD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSy+DY:e09AfNIEYsunZvZ19ZNs
                                                                                              TLSH:5DA4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.
                                                                                              Icon Hash:95694d05214c1b33
                                                                                              Entrypoint:0x433b3a
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:1
                                                                                              File Version Major:5
                                                                                              File Version Minor:1
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:1
                                                                                              Import Hash:e77512f955eaf60ccff45e02d69234de
                                                                                              Instruction
                                                                                              call 00007F328CB76B83h
                                                                                              jmp 00007F328CB764DFh
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 00000324h
                                                                                              push ebx
                                                                                              push 00000017h
                                                                                              call 00007F328CB989B9h
                                                                                              test eax, eax
                                                                                              je 00007F328CB76667h
                                                                                              mov ecx, dword ptr [ebp+08h]
                                                                                              int 29h
                                                                                              push 00000003h
                                                                                              call 00007F328CB76824h
                                                                                              mov dword ptr [esp], 000002CCh
                                                                                              lea eax, dword ptr [ebp-00000324h]
                                                                                              push 00000000h
                                                                                              push eax
                                                                                              call 00007F328CB78B3Bh
                                                                                              add esp, 0Ch
                                                                                              mov dword ptr [ebp-00000274h], eax
                                                                                              mov dword ptr [ebp-00000278h], ecx
                                                                                              mov dword ptr [ebp-0000027Ch], edx
                                                                                              mov dword ptr [ebp-00000280h], ebx
                                                                                              mov dword ptr [ebp-00000284h], esi
                                                                                              mov dword ptr [ebp-00000288h], edi
                                                                                              mov word ptr [ebp-0000025Ch], ss
                                                                                              mov word ptr [ebp-00000268h], cs
                                                                                              mov word ptr [ebp-0000028Ch], ds
                                                                                              mov word ptr [ebp-00000290h], es
                                                                                              mov word ptr [ebp-00000294h], fs
                                                                                              mov word ptr [ebp-00000298h], gs
                                                                                              pushfd
                                                                                              pop dword ptr [ebp-00000264h]
                                                                                              mov eax, dword ptr [ebp+04h]
                                                                                              mov dword ptr [ebp-0000026Ch], eax
                                                                                              lea eax, dword ptr [ebp+04h]
                                                                                              mov dword ptr [ebp-00000260h], eax
                                                                                              mov dword ptr [ebp-00000324h], 00010001h
                                                                                              mov eax, dword ptr [eax-04h]
                                                                                              push 00000050h
                                                                                              mov dword ptr [ebp-00000270h], eax
                                                                                              lea eax, dword ptr [ebp-58h]
                                                                                              push 00000000h
                                                                                              push eax
                                                                                              call 00007F328CB78AB1h
                                                                                              Programming Language:
                                                                                              • [C++] VS2008 SP1 build 30729
                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b30.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x760000x4b300x4c003f46272b259d919b44cd5aadf63f78fbFalse0.2823293585526316data3.9878117788743395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                                                              RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                                                              RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                                                              RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                                                              RT_RCDATA0x7a5cc0x523Dyalog APL session version -80.-271.0083650190114068
                                                                                              RT_GROUP_ICON0x7aaf00x3edataEnglishUnited States0.8064516129032258
                                                                                              DLLImport
                                                                                              KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                                                              USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                                                              GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                                                              ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                                                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                                                              ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                                                              SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                                                              WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                                                              WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                                                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                                                              gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                                                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile
                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishUnited States
                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-20T16:26:04.320581+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970431.13.224.723421TCP
                                                                                              2024-12-20T16:26:06.966456+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549706178.237.33.5080TCP
                                                                                              2024-12-20T16:26:07.273843+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970531.13.224.723421TCP
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 20, 2024 16:26:02.808511019 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:02.928700924 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:02.928795099 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:02.935791016 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:03.055310965 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:04.272099018 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:04.320580959 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:04.507081032 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:04.525841951 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:04.645494938 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:04.645586014 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:04.765240908 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.205563068 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.209017992 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:05.328763962 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.394694090 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.404589891 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:05.445554972 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:05.524508953 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.524616003 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:05.528256893 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:05.595050097 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:26:05.647830009 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.714854956 CET8049706178.237.33.50192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.714953899 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:26:05.715183973 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:26:05.834832907 CET8049706178.237.33.50192.168.2.5
                                                                                              Dec 20, 2024 16:26:06.966358900 CET8049706178.237.33.50192.168.2.5
                                                                                              Dec 20, 2024 16:26:06.966455936 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:26:07.016802073 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:07.136766911 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:07.230700016 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:07.273843050 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:07.466208935 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:07.470468998 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:07.590136051 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:07.590230942 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:07.710794926 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:07.960243940 CET8049706178.237.33.50192.168.2.5
                                                                                              Dec 20, 2024 16:26:07.960345984 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:26:08.145796061 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.145977020 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.145992994 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.146030903 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.146202087 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.146214962 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.146229982 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.146274090 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.146274090 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.146708012 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.146723986 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.146792889 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.154303074 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.154319048 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.154409885 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.162702084 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.162738085 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.162941933 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.336689949 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.336711884 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.339637041 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.339677095 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.339692116 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.339842081 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.346538067 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.351697922 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.351713896 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.354664087 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.357429028 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.357667923 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.357695103 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.366705894 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.366722107 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.367331028 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.375696898 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.375715971 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.378680944 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.381376982 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.381392956 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.381475925 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.390728951 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.390744925 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.392621040 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.397670031 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.397686005 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.398154020 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.405503988 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.405519962 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.407231092 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.414690018 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.415344000 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.765569925 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.765588045 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.765759945 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.766374111 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.766387939 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.766401052 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.766415119 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.766496897 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.766496897 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.767215014 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.767230034 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.767249107 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.767261982 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.767277002 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.767921925 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.767923117 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.848422050 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.848498106 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.850647926 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.851646900 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.851680994 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.856616974 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.857959032 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.858097076 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.859626055 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.864316940 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.864772081 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.868618011 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.870959997 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.871099949 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.871642113 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.877108097 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.877157927 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.880495071 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.883497000 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.883594036 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.884619951 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.889759064 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.946255922 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.966164112 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.966198921 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.966295958 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.969250917 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.969439983 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.969680071 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.975627899 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.975696087 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.975831032 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.982086897 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.982275963 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.982343912 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.988440990 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.988626003 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.988718033 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:08.994849920 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.994926929 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:08.995038033 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.001182079 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.001652002 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.001765013 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.007531881 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.007687092 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.007920027 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.086222887 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.088614941 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.088701010 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.089468002 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.089606047 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.089662075 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.095881939 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.096025944 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.096137047 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.102166891 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.102437019 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.102498055 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.108988047 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.109507084 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.109580994 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.115066051 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.115128040 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.115185022 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.121373892 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.121423960 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.121507883 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.125644922 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.125833988 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.125888109 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.129956007 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.179925919 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.200702906 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.200875998 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.200939894 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.202735901 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.203089952 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.203177929 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.205986023 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.206911087 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.206981897 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.210216045 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.210325956 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.210369110 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.214457989 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.214631081 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.214677095 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.218907118 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.219309092 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.219367981 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.223076105 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.223434925 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.223499060 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.227340937 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.227435112 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.227643967 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.231560946 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.273693085 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.322736025 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.323097944 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.323225021 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.324773073 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.325480938 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.325562000 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.325649023 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.329906940 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.330015898 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.330207109 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.334100962 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.334172964 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.334218025 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.338486910 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.338541031 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.338768005 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.342643976 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.342757940 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.342824936 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.346856117 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.346929073 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.346939087 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.351157904 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.351228952 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.351365089 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.354773045 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.354850054 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.354871035 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.398673058 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.440972090 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.441231012 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.441354990 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.443136930 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.443198919 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.443249941 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.446106911 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.446372986 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.446420908 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.449476957 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.449588060 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.449631929 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.452877998 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.452972889 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.453078985 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.456248999 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.456330061 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.456379890 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.459651947 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.459934950 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.460000992 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.463032961 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.463298082 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.463339090 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.466495037 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.466612101 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.466660976 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.561278105 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.561470032 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.561579943 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.562858105 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.563002110 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.563049078 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.566309929 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.566682100 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.566725969 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.569685936 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.570144892 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.570211887 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.573061943 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.573151112 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.573210955 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.576637030 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.576725006 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.576797962 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.579946995 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.580095053 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.580162048 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.583333969 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.583540916 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.583621025 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.586765051 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.586977005 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.587044954 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.677155972 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.677297115 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.677385092 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.678045034 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.678224087 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.678280115 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.681380033 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.681674957 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.681761980 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.684788942 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.684987068 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.685048103 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.688111067 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.688172102 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.688221931 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.691397905 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.691854000 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.691926003 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.694669008 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.694967985 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.695041895 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.698018074 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.698302031 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.698371887 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.701384068 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.701566935 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.701628923 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:09.704662085 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:09.758112907 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.109811068 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.110336065 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.110486984 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.110999107 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.111012936 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.111134052 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.114238977 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.114491940 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.114566088 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.117614985 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.117825985 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.117988110 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.121067047 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.121601105 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.121665955 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.124198914 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.164628029 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.224570036 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.224649906 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.224711895 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.225990057 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.226130962 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.226227999 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.229326010 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.229463100 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.229523897 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.232599020 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.232736111 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.232856035 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.236059904 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.236192942 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.236284971 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.239310980 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.239448071 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.239573002 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.242633104 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.242710114 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.242774963 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.300429106 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.341686010 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.341773987 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.341828108 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.343247890 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.343306065 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.343328953 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.346494913 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.346560001 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.346678972 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.349915028 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.349987984 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.350148916 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.353161097 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.353533030 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.354016066 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.356559038 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.356626034 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.356641054 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.359796047 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.359899998 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.359993935 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.414299965 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.420272112 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.461245060 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.462271929 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.462430954 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.462512970 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.463849068 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.464020014 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.464091063 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.467161894 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.467428923 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.467525959 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.470508099 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.470753908 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.470813990 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.473804951 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.473953009 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.474010944 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.477108955 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.477325916 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.477375984 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.480439901 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.480724096 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.480797052 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.490591049 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.539335012 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.884092093 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.884191990 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.884264946 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.885788918 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.886054993 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.886140108 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.889199018 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.889265060 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.889344931 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.892503977 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.892693996 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.892750025 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.895766973 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.896281004 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.896362066 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.996853113 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.997257948 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.997323990 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.998467922 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.999023914 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:10.999083996 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:10.999310970 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.002414942 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.002481937 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.002526045 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.005772114 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.005894899 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.005908966 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.008995056 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.009203911 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.009346008 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.054919958 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.117605925 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.117806911 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.117854118 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.119101048 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.119267941 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.119308949 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.122405052 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.122520924 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.122575998 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.125794888 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.125967979 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.126018047 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.129132032 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.129316092 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.129460096 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.234877110 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.235028028 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.235135078 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.235830069 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.236176968 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.236226082 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.239043951 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.239371061 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.239430904 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.242532015 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.242683887 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.242748022 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.245732069 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.246041059 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.246112108 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.249013901 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.249967098 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.250011921 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.353220940 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.353775024 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.353861094 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.354036093 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.354162931 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.354208946 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.357383966 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.358283997 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.358329058 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.360039949 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.360187054 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.360224962 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.363276005 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.363837004 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.363890886 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.366632938 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.367002964 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.367046118 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.471514940 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.471771002 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.471810102 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.473181009 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.473254919 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.473290920 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.476536036 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.476686001 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.476732969 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.479922056 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.480037928 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.480134010 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.483114004 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.483220100 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.483262062 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.486449003 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.539277077 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.900345087 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.900373936 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.900509119 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.901889086 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.901946068 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.901993990 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.904408932 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.904670000 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.904767990 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.907825947 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.907968998 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.908029079 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:11.911098957 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:11.961173058 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.019040108 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.019452095 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.019521952 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.020406961 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.020602942 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.020663023 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.023734093 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.024943113 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.025103092 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.025443077 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.028347969 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.028409004 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.028753996 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.070561886 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.140671968 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.140949965 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.141045094 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.141644001 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.141875982 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.141940117 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.144983053 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.145134926 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.145193100 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.148286104 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.148433924 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.148509979 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.151829004 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.152117014 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.152184010 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.258759022 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.258833885 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.258919001 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.260262966 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.260581970 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.260653019 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.263624907 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.263731003 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.263782978 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.266999006 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.267179012 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.267239094 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:12.270303965 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:12.320717096 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.302122116 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.302268028 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.302342892 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.303396940 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.303495884 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.303540945 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.419481993 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.420006037 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.420116901 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.421271086 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.421674013 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.421736956 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.536267996 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.537076950 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.537143946 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.537990093 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.538106918 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.538208008 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:13.969887018 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.971824884 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.971872091 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:13.971988916 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.023819923 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.079330921 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.079485893 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.079756975 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.080848932 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.133466959 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.497519970 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.498033047 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.498158932 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.499212027 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.499810934 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.499917984 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.615648031 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.615766048 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.615866899 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.617547989 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.617561102 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.617734909 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.735023022 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.735233068 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.735332012 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.736839056 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.736942053 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.737046003 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.850630045 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.850652933 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.850817919 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.852185011 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.852437973 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.852545023 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.967345953 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.967367887 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.968525887 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.968540907 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:14.968624115 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:14.968624115 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.087287903 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.087307930 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.087369919 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.088408947 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.088838100 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.088877916 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.201813936 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.201834917 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.201946974 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.203361034 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.203799009 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.203874111 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.206572056 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.258033991 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.319526911 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.319632053 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.319730997 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.321225882 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.321243048 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.321326971 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.324433088 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.367475986 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.436714888 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.436791897 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.436950922 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.438225031 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.438483000 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.438534975 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.441669941 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.441920996 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.442008018 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.553913116 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.554147005 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.554228067 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.554749966 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.554975033 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.555171967 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.558208942 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.558432102 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.558501005 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.561609983 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.601903915 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.671396017 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.671900034 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.672017097 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.672976971 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.673106909 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.673155069 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.676197052 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.676572084 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.676620960 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.679514885 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.726778984 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.746328115 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.788464069 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.788501024 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.788542986 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.789975882 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.790532112 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.790586948 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.790878057 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.790929079 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.793932915 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.794060946 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.794122934 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.797329903 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.851880074 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.906469107 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.906528950 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.906622887 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.908036947 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.908242941 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.908396006 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:15.911348104 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.911541939 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:15.911601067 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:18.213589907 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:18.333415031 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333432913 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333456039 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333513021 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333534956 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:18.333534956 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:18.333545923 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333647013 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333657980 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333714962 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333750963 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.333761930 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.418740988 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:18.453389883 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.453414917 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.453427076 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.453438044 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.453460932 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.453470945 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.453483105 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.539026022 CET34214970531.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:18.543060064 CET497053421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:19.807199001 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:19.809801102 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:19.929707050 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:50.612560987 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:26:50.614252090 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:26:50.733936071 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:27:21.295357943 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:27:21.297297955 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:27:21.416785002 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:27:52.050930023 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:27:52.052958012 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:27:52.172835112 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:27:55.445816040 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:27:55.758049965 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:27:56.368729115 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:27:57.570641041 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:27:59.976787090 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:28:04.789288044 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:28:14.523806095 CET4970680192.168.2.5178.237.33.50
                                                                                              Dec 20, 2024 16:28:22.712419033 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:28:22.716294050 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:28:22.836030960 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:28:53.768858910 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:28:53.774087906 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:28:53.893697977 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:29:24.537870884 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:29:24.539748907 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:29:24.659224033 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:29:55.332523108 CET34214970431.13.224.72192.168.2.5
                                                                                              Dec 20, 2024 16:29:55.334650993 CET497043421192.168.2.531.13.224.72
                                                                                              Dec 20, 2024 16:29:55.460844994 CET34214970431.13.224.72192.168.2.5
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 20, 2024 16:26:02.468118906 CET5208453192.168.2.51.1.1.1
                                                                                              Dec 20, 2024 16:26:02.803706884 CET53520841.1.1.1192.168.2.5
                                                                                              Dec 20, 2024 16:26:05.450268030 CET5292153192.168.2.51.1.1.1
                                                                                              Dec 20, 2024 16:26:05.589917898 CET53529211.1.1.1192.168.2.5
                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 20, 2024 16:26:02.468118906 CET192.168.2.51.1.1.10xd094Standard query (0)brideeded.duckdns.orgA (IP address)IN (0x0001)false
                                                                                              Dec 20, 2024 16:26:05.450268030 CET192.168.2.51.1.1.10x7ed6Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 20, 2024 16:26:02.803706884 CET1.1.1.1192.168.2.50xd094No error (0)brideeded.duckdns.org31.13.224.72A (IP address)IN (0x0001)false
                                                                                              Dec 20, 2024 16:26:05.589917898 CET1.1.1.1192.168.2.50x7ed6No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                              • geoplugin.net
                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.549706178.237.33.50806156C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 20, 2024 16:26:05.715183973 CET71OUTGET /json.gp HTTP/1.1
                                                                                              Host: geoplugin.net
                                                                                              Cache-Control: no-cache
                                                                                              Dec 20, 2024 16:26:06.966358900 CET1171INHTTP/1.1 200 OK
                                                                                              date: Fri, 20 Dec 2024 15:26:06 GMT
                                                                                              server: Apache
                                                                                              content-length: 963
                                                                                              content-type: application/json; charset=utf-8
                                                                                              cache-control: public, max-age=300
                                                                                              access-control-allow-origin: *
                                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                              Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                              Click to jump to process

                                                                                              Click to jump to process

                                                                                              Click to dive into process behavior distribution

                                                                                              Click to jump to process

                                                                                              Target ID:0
                                                                                              Start time:10:26:01
                                                                                              Start date:20/12/2024
                                                                                              Path:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:493'056 bytes
                                                                                              MD5 hash:B109B6B9485443491013E40FCC73AE5C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4481470481.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2034425257.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              Target ID:2
                                                                                              Start time:10:26:14
                                                                                              Start date:20/12/2024
                                                                                              Path:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\smneazorfckbjbutbkwjb"
                                                                                              Imagebase:0x400000
                                                                                              File size:493'056 bytes
                                                                                              MD5 hash:B109B6B9485443491013E40FCC73AE5C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.2169865938.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Target ID:3
                                                                                              Start time:10:26:14
                                                                                              Start date:20/12/2024
                                                                                              Path:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\doaxbszlbkcgthrfkvjdmoalt"
                                                                                              Imagebase:0x400000
                                                                                              File size:493'056 bytes
                                                                                              MD5 hash:B109B6B9485443491013E40FCC73AE5C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.2171408950.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Target ID:4
                                                                                              Start time:10:26:15
                                                                                              Start date:20/12/2024
                                                                                              Path:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\nifpbkkmpsusvnfjcgeeptnccmmr"
                                                                                              Imagebase:0x400000
                                                                                              File size:493'056 bytes
                                                                                              MD5 hash:B109B6B9485443491013E40FCC73AE5C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.2176491254.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:4.6%
                                                                                                Dynamic/Decrypted Code Coverage:4.3%
                                                                                                Signature Coverage:20.1%
                                                                                                Total number of Nodes:1612
                                                                                                Total number of Limit Nodes:61
                                                                                                execution_graph 52141 41d4d0 52142 41d4e6 ctype ___scrt_fastfail 52141->52142 52143 41d6e3 52142->52143 52145 431f99 21 API calls 52142->52145 52147 41d734 52143->52147 52157 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 52143->52157 52150 41d696 ___scrt_fastfail 52145->52150 52146 41d6f4 52146->52147 52148 41d760 52146->52148 52158 431f99 52146->52158 52148->52147 52166 41d474 21 API calls ___scrt_fastfail 52148->52166 52150->52147 52152 431f99 21 API calls 52150->52152 52155 41d6be ___scrt_fastfail 52152->52155 52153 41d72d ___scrt_fastfail 52153->52147 52163 43264f 52153->52163 52155->52147 52156 431f99 21 API calls 52155->52156 52156->52143 52157->52146 52159 431fa3 52158->52159 52160 431fa7 52158->52160 52159->52153 52167 43a88c 52160->52167 52176 43256f 52163->52176 52165 432657 52165->52148 52166->52147 52169 446aff _strftime 52167->52169 52168 446b3d 52175 445354 20 API calls _free 52168->52175 52169->52168 52171 446b28 RtlAllocateHeap 52169->52171 52174 442200 7 API calls 2 library calls 52169->52174 52171->52169 52172 431fac 52171->52172 52172->52153 52174->52169 52175->52172 52177 432588 52176->52177 52180 43257e 52176->52180 52178 431f99 21 API calls 52177->52178 52177->52180 52179 4325a9 52178->52179 52179->52180 52182 43293a CryptAcquireContextA 52179->52182 52180->52165 52183 432956 52182->52183 52184 43295b CryptGenRandom 52182->52184 52183->52180 52184->52183 52185 432970 CryptReleaseContext 52184->52185 52185->52183 52186 426030 52191 4260f7 recv 52186->52191 52192 426091 52197 42610e send 52192->52197 52198 425e56 52199 425e6b 52198->52199 52202 425f0b 52198->52202 52200 425f25 52199->52200 52201 425f5a 52199->52201 52199->52202 52203 425eb9 52199->52203 52204 425f77 52199->52204 52205 425f9e 52199->52205 52211 425eee 52199->52211 52226 424354 48 API calls ctype 52199->52226 52200->52201 52200->52202 52229 41f075 52 API calls 52200->52229 52201->52204 52230 424b7b 21 API calls 52201->52230 52203->52202 52203->52211 52227 41f075 52 API calls 52203->52227 52204->52202 52204->52205 52214 424f78 52204->52214 52205->52202 52231 4255c7 28 API calls 52205->52231 52211->52200 52211->52202 52228 424354 48 API calls ctype 52211->52228 52215 424f97 ___scrt_fastfail 52214->52215 52217 424fa6 52215->52217 52220 424fcb 52215->52220 52232 41e097 21 API calls 52215->52232 52217->52220 52225 424fab 52217->52225 52233 41fad4 45 API calls 52217->52233 52220->52205 52221 424fb4 52221->52220 52235 424185 21 API calls 2 library calls 52221->52235 52223 42504e 52223->52220 52224 431f99 21 API calls 52223->52224 52224->52225 52225->52220 52225->52221 52234 41cf6e 48 API calls 52225->52234 52226->52203 52227->52203 52228->52200 52229->52200 52230->52204 52231->52202 52232->52217 52233->52223 52234->52221 52235->52220 52236 1000c7a7 52237 1000c7be 52236->52237 52242 1000c82c 52236->52242 52237->52242 52248 1000c7e6 GetModuleHandleA 52237->52248 52238 1000c872 52239 1000c835 GetModuleHandleA 52241 1000c83f 52239->52241 52241->52242 52243 1000c85f GetProcAddress 52241->52243 52242->52238 52242->52239 52242->52241 52243->52242 52244 1000c7dd 52244->52241 52244->52242 52245 1000c800 GetProcAddress 52244->52245 52245->52242 52246 1000c80d VirtualProtect 52245->52246 52246->52242 52247 1000c81c VirtualProtect 52246->52247 52247->52242 52249 1000c82c 52248->52249 52250 1000c7ef 52248->52250 52252 1000c872 52249->52252 52253 1000c835 GetModuleHandleA 52249->52253 52255 1000c83f 52249->52255 52260 1000c803 GetProcAddress 52250->52260 52253->52255 52254 1000c7f4 52254->52249 52256 1000c800 GetProcAddress 52254->52256 52255->52249 52255->52255 52259 1000c85f GetProcAddress 52255->52259 52256->52249 52257 1000c80d VirtualProtect 52256->52257 52257->52249 52258 1000c81c VirtualProtect 52257->52258 52258->52249 52259->52249 52261 1000c80d VirtualProtect 52260->52261 52262 1000c82c 52260->52262 52261->52262 52263 1000c81c VirtualProtect 52261->52263 52264 1000c872 52262->52264 52265 1000c835 GetModuleHandleA 52262->52265 52263->52262 52267 1000c83f 52265->52267 52266 1000c85f GetProcAddress 52266->52267 52267->52262 52267->52266 52268 43a998 52269 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 52268->52269 52270 43a9b2 52269->52270 52272 43a9dc 52269->52272 52284 445354 20 API calls _free 52270->52284 52279 444acc EnterCriticalSection 52272->52279 52274 43a9b7 pre_c_initialization std::_Locinfo::_Locinfo_ctor 52275 43a9e7 52280 43aa88 52275->52280 52279->52275 52281 43aa96 52280->52281 52281->52281 52283 43a9f2 52281->52283 52286 448416 36 API calls 2 library calls 52281->52286 52285 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 52283->52285 52284->52274 52285->52274 52286->52281 52287 414dba 52302 41a51b 52287->52302 52289 414dc3 52312 401fbd 52289->52312 52294 4161f2 52335 401d8c 52294->52335 52297 4161fb 52298 401eea 11 API calls 52297->52298 52299 416207 52298->52299 52300 401eea 11 API calls 52299->52300 52301 416213 52300->52301 52303 41a529 52302->52303 52304 43a88c ___std_exception_copy 21 API calls 52303->52304 52305 41a533 InternetOpenW InternetOpenUrlW 52304->52305 52306 41a55c InternetReadFile 52305->52306 52309 41a57f 52306->52309 52308 41a5ac InternetCloseHandle InternetCloseHandle 52310 41a5be 52308->52310 52309->52306 52309->52308 52311 401eea 11 API calls 52309->52311 52341 401f86 52309->52341 52310->52289 52311->52309 52313 401fcc 52312->52313 52350 402501 52313->52350 52315 401fea 52316 404468 52315->52316 52317 40447b 52316->52317 52355 404be8 52317->52355 52319 404490 ctype 52320 404507 WaitForSingleObject 52319->52320 52321 4044e7 52319->52321 52323 40451d 52320->52323 52322 4044f9 send 52321->52322 52325 404542 52322->52325 52359 42051a 54 API calls 52323->52359 52327 401eea 11 API calls 52325->52327 52326 404530 SetEvent 52326->52325 52328 40454a 52327->52328 52329 401eea 11 API calls 52328->52329 52330 404552 52329->52330 52330->52294 52331 401eea 52330->52331 52332 4021b9 52331->52332 52333 4021e8 52332->52333 52365 40262e 52332->52365 52333->52294 52336 40200a 52335->52336 52340 40203a 52336->52340 52373 402654 52336->52373 52338 40202b 52376 4026ba 11 API calls _Deallocate 52338->52376 52340->52297 52342 401f8e 52341->52342 52345 402325 52342->52345 52344 401fa4 52344->52309 52346 40232f 52345->52346 52348 40233a 52346->52348 52349 40294a 28 API calls 52346->52349 52348->52344 52349->52348 52351 40250d 52350->52351 52353 40252b 52351->52353 52354 40261a 28 API calls 52351->52354 52353->52315 52354->52353 52356 404bf0 52355->52356 52360 404c0c 52356->52360 52358 404c06 52358->52319 52359->52326 52361 404c16 52360->52361 52363 404c21 52361->52363 52364 404d07 28 API calls 52361->52364 52363->52358 52364->52363 52368 402bee 52365->52368 52367 40263b 52367->52333 52369 402bfb 52368->52369 52370 402c08 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 52368->52370 52372 4015d8 11 API calls _Deallocate 52369->52372 52370->52367 52372->52370 52377 402c1a 52373->52377 52376->52340 52380 403340 52377->52380 52382 403348 52380->52382 52381 402662 52381->52338 52382->52381 52384 4038c2 52382->52384 52387 4038cb 52384->52387 52388 401eea 11 API calls 52387->52388 52389 4038ca 52388->52389 52389->52382 52390 42ea1e 52391 42ea29 52390->52391 52392 42ea3d 52391->52392 52394 431fc3 52391->52394 52395 431fd2 52394->52395 52397 431fce 52394->52397 52398 43fcda 52395->52398 52397->52392 52399 44b9be 52398->52399 52400 44b9d6 52399->52400 52401 44b9cb 52399->52401 52403 44b9de 52400->52403 52409 44b9e7 _strftime 52400->52409 52411 446aff 52401->52411 52418 446ac5 52403->52418 52404 44ba11 RtlReAllocateHeap 52408 44b9d3 52404->52408 52404->52409 52405 44b9ec 52424 445354 20 API calls _free 52405->52424 52408->52397 52409->52404 52409->52405 52425 442200 7 API calls 2 library calls 52409->52425 52412 446b3d 52411->52412 52416 446b0d _strftime 52411->52416 52427 445354 20 API calls _free 52412->52427 52414 446b28 RtlAllocateHeap 52415 446b3b 52414->52415 52414->52416 52415->52408 52416->52412 52416->52414 52426 442200 7 API calls 2 library calls 52416->52426 52419 446ad0 RtlFreeHeap 52418->52419 52420 446af9 _free 52418->52420 52419->52420 52421 446ae5 52419->52421 52420->52408 52428 445354 20 API calls _free 52421->52428 52423 446aeb GetLastError 52423->52420 52424->52408 52425->52409 52426->52416 52427->52415 52428->52423 52429 402bcc 52430 402bd7 52429->52430 52431 402bdf 52429->52431 52437 403315 52430->52437 52433 402beb 52431->52433 52444 4015d3 52431->52444 52438 4015d3 22 API calls 52437->52438 52439 40332a 52438->52439 52440 402bdd 52439->52440 52441 40333b 52439->52441 52454 43a854 11 API calls _abort 52441->52454 52443 43a853 52446 43360d 52444->52446 52445 43a88c ___std_exception_copy 21 API calls 52445->52446 52446->52445 52447 402be9 52446->52447 52450 43362e std::_Facet_Register 52446->52450 52455 442200 7 API calls 2 library calls 52446->52455 52449 433dec std::_Facet_Register 52457 437bd7 RaiseException 52449->52457 52450->52449 52456 437bd7 RaiseException 52450->52456 52453 433e09 52454->52443 52455->52446 52456->52449 52457->52453 52458 4339be 52459 4339ca __FrameHandler3::FrameUnwindToState 52458->52459 52490 4336b3 52459->52490 52461 4339d1 52462 433b24 52461->52462 52466 4339fb 52461->52466 52790 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 52462->52790 52464 433b2b 52791 4426be 28 API calls _abort 52464->52791 52475 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 52466->52475 52784 4434d1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 52466->52784 52467 433b31 52792 442670 28 API calls _abort 52467->52792 52470 433a14 52472 433a1a 52470->52472 52785 443475 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 52470->52785 52471 433b39 52474 433a9b 52501 433c5e 52474->52501 52475->52474 52786 43edf4 35 API calls 3 library calls 52475->52786 52484 433abd 52484->52464 52485 433ac1 52484->52485 52486 433aca 52485->52486 52788 442661 28 API calls _abort 52485->52788 52789 433842 13 API calls 2 library calls 52486->52789 52489 433ad2 52489->52472 52491 4336bc 52490->52491 52793 433e0a IsProcessorFeaturePresent 52491->52793 52493 4336c8 52794 4379ee 10 API calls 3 library calls 52493->52794 52495 4336cd 52496 4336d1 52495->52496 52795 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52495->52795 52496->52461 52498 4336da 52499 4336e8 52498->52499 52796 437a17 8 API calls 3 library calls 52498->52796 52499->52461 52797 436050 52501->52797 52504 433aa1 52505 443422 52504->52505 52799 44ddc9 52505->52799 52507 433aaa 52510 40d767 52507->52510 52508 44342b 52508->52507 52803 44e0d3 35 API calls 52508->52803 52805 41bce3 LoadLibraryA GetProcAddress 52510->52805 52512 40d783 GetModuleFileNameW 52810 40e168 52512->52810 52514 40d79f 52515 401fbd 28 API calls 52514->52515 52516 40d7ae 52515->52516 52517 401fbd 28 API calls 52516->52517 52518 40d7bd 52517->52518 52825 41afc3 52518->52825 52522 40d7cf 52523 401d8c 11 API calls 52522->52523 52524 40d7d8 52523->52524 52525 40d835 52524->52525 52526 40d7eb 52524->52526 52850 401d64 52525->52850 53095 40e986 111 API calls 52526->53095 52529 40d845 52532 401d64 28 API calls 52529->52532 52530 40d7fd 52531 401d64 28 API calls 52530->52531 52535 40d809 52531->52535 52533 40d864 52532->52533 52855 404cbf 52533->52855 53096 40e937 65 API calls 52535->53096 52536 40d873 52859 405ce6 52536->52859 52539 40d824 53097 40e155 65 API calls 52539->53097 52540 40d87f 52862 401eef 52540->52862 52543 40d88b 52544 401eea 11 API calls 52543->52544 52545 40d894 52544->52545 52547 401eea 11 API calls 52545->52547 52546 401eea 11 API calls 52548 40dc9f 52546->52548 52549 40d89d 52547->52549 52787 433c94 GetModuleHandleW 52548->52787 52550 401d64 28 API calls 52549->52550 52551 40d8a6 52550->52551 52866 401ebd 52551->52866 52553 40d8b1 52554 401d64 28 API calls 52553->52554 52555 40d8ca 52554->52555 52556 401d64 28 API calls 52555->52556 52558 40d8e5 52556->52558 52557 40d946 52560 401d64 28 API calls 52557->52560 52575 40e134 52557->52575 52558->52557 53098 4085b4 52558->53098 52565 40d95d 52560->52565 52561 40d912 52562 401eef 11 API calls 52561->52562 52563 40d91e 52562->52563 52566 401eea 11 API calls 52563->52566 52564 40d9a4 52870 40bed7 52564->52870 52565->52564 52570 4124b7 3 API calls 52565->52570 52567 40d927 52566->52567 53102 4124b7 RegOpenKeyExA 52567->53102 52569 40d9aa 52571 40d82d 52569->52571 52873 41a463 52569->52873 52576 40d988 52570->52576 52571->52546 52574 40d9c5 52577 40da18 52574->52577 52890 40697b 52574->52890 53190 412902 30 API calls 52575->53190 52576->52564 53105 412902 30 API calls 52576->53105 52579 401d64 28 API calls 52577->52579 52582 40da21 52579->52582 52591 40da32 52582->52591 52592 40da2d 52582->52592 52584 40e14a 53191 4112b5 64 API calls ___scrt_fastfail 52584->53191 52585 40d9e4 53106 40699d 30 API calls 52585->53106 52586 40d9ee 52589 401d64 28 API calls 52586->52589 52599 40d9f7 52589->52599 52596 401d64 28 API calls 52591->52596 53109 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 52592->53109 52593 40d9e9 53107 4064d0 97 API calls 52593->53107 52597 40da3b 52596->52597 52894 41ae08 52597->52894 52599->52577 52602 40da13 52599->52602 52600 40da46 52898 401e18 52600->52898 53108 4064d0 97 API calls 52602->53108 52603 40da51 52902 401e13 52603->52902 52606 40da5a 52607 401d64 28 API calls 52606->52607 52608 40da63 52607->52608 52609 401d64 28 API calls 52608->52609 52610 40da7d 52609->52610 52611 401d64 28 API calls 52610->52611 52612 40da97 52611->52612 52613 401d64 28 API calls 52612->52613 52615 40dab0 52613->52615 52614 40db1d 52616 40db2c 52614->52616 52623 40dcaa ___scrt_fastfail 52614->52623 52615->52614 52617 401d64 28 API calls 52615->52617 52618 40db35 52616->52618 52646 40dbb1 ___scrt_fastfail 52616->52646 52621 40dac5 _wcslen 52617->52621 52619 401d64 28 API calls 52618->52619 52620 40db3e 52619->52620 52622 401d64 28 API calls 52620->52622 52621->52614 52624 401d64 28 API calls 52621->52624 52625 40db50 52622->52625 53169 41265d RegOpenKeyExA 52623->53169 52626 40dae0 52624->52626 52628 401d64 28 API calls 52625->52628 52629 401d64 28 API calls 52626->52629 52630 40db62 52628->52630 52631 40daf5 52629->52631 52634 401d64 28 API calls 52630->52634 53110 40c89e 52631->53110 52632 40dcef 52633 401d64 28 API calls 52632->52633 52636 40dd16 52633->52636 52635 40db8b 52634->52635 52640 401d64 28 API calls 52635->52640 52916 401f66 52636->52916 52639 401e18 11 API calls 52642 40db14 52639->52642 52643 40db9c 52640->52643 52645 401e13 11 API calls 52642->52645 53167 40bc67 46 API calls _wcslen 52643->53167 52644 40dd25 52920 4126d2 RegCreateKeyA 52644->52920 52645->52614 52906 4128a2 52646->52906 52650 40dc45 ctype 52655 401d64 28 API calls 52650->52655 52651 40dbac 52651->52646 52653 401d64 28 API calls 52654 40dd47 52653->52654 52926 43a5e7 52654->52926 52656 40dc5c 52655->52656 52656->52632 52660 40dc70 52656->52660 52659 40dd5e 53172 41beb0 87 API calls ___scrt_fastfail 52659->53172 52662 401d64 28 API calls 52660->52662 52661 40dd81 52666 401f66 28 API calls 52661->52666 52664 40dc7e 52662->52664 52667 41ae08 28 API calls 52664->52667 52665 40dd65 CreateThread 52665->52661 54065 41c96f 10 API calls 52665->54065 52668 40dd96 52666->52668 52669 40dc87 52667->52669 52670 401f66 28 API calls 52668->52670 53168 40e219 119 API calls 52669->53168 52672 40dda5 52670->52672 52930 41a686 52672->52930 52673 40dc8c 52673->52632 52674 40dc93 52673->52674 52674->52571 52677 401d64 28 API calls 52678 40ddb6 52677->52678 52679 401d64 28 API calls 52678->52679 52680 40ddcb 52679->52680 52681 401d64 28 API calls 52680->52681 52682 40ddeb 52681->52682 52683 43a5e7 _strftime 39 API calls 52682->52683 52684 40ddf8 52683->52684 52685 401d64 28 API calls 52684->52685 52686 40de03 52685->52686 52687 401d64 28 API calls 52686->52687 52688 40de14 52687->52688 52689 401d64 28 API calls 52688->52689 52690 40de29 52689->52690 52691 401d64 28 API calls 52690->52691 52692 40de3a 52691->52692 52693 40de41 StrToIntA 52692->52693 52954 409517 52693->52954 52696 401d64 28 API calls 52697 40de5c 52696->52697 52698 40dea1 52697->52698 52699 40de68 52697->52699 52702 401d64 28 API calls 52698->52702 53173 43360d 22 API calls 3 library calls 52699->53173 52701 40de71 52703 401d64 28 API calls 52701->52703 52704 40deb1 52702->52704 52705 40de84 52703->52705 52706 40def9 52704->52706 52707 40debd 52704->52707 52708 40de8b CreateThread 52705->52708 52710 401d64 28 API calls 52706->52710 53174 43360d 22 API calls 3 library calls 52707->53174 52708->52698 54063 419128 109 API calls 2 library calls 52708->54063 52712 40df02 52710->52712 52711 40dec6 52713 401d64 28 API calls 52711->52713 52715 40df6c 52712->52715 52716 40df0e 52712->52716 52714 40ded8 52713->52714 52717 40dedf CreateThread 52714->52717 52718 401d64 28 API calls 52715->52718 52719 401d64 28 API calls 52716->52719 52717->52706 54068 419128 109 API calls 2 library calls 52717->54068 52721 40df75 52718->52721 52720 40df1e 52719->52720 52724 401d64 28 API calls 52720->52724 52722 40df81 52721->52722 52723 40dfba 52721->52723 52725 401d64 28 API calls 52722->52725 52979 41a7a2 GetComputerNameExW GetUserNameW 52723->52979 52726 40df33 52724->52726 52729 40df8a 52725->52729 53175 40c854 52726->53175 52734 401d64 28 API calls 52729->52734 52730 401e18 11 API calls 52731 40dfce 52730->52731 52733 401e13 11 API calls 52731->52733 52736 40dfd7 52733->52736 52737 40df9f 52734->52737 52739 40dfe0 SetProcessDEPPolicy 52736->52739 52740 40dfe3 CreateThread 52736->52740 52747 43a5e7 _strftime 39 API calls 52737->52747 52738 401e18 11 API calls 52741 40df52 52738->52741 52739->52740 52742 40e004 52740->52742 52743 40dff8 CreateThread 52740->52743 54036 40e54f 52740->54036 52744 401e13 11 API calls 52741->52744 52745 40e019 52742->52745 52746 40e00d CreateThread 52742->52746 52743->52742 54064 410f36 146 API calls 52743->54064 52748 40df5b CreateThread 52744->52748 52750 40e073 52745->52750 52752 401f66 28 API calls 52745->52752 52746->52745 54066 411524 38 API calls ___scrt_fastfail 52746->54066 52749 40dfac 52747->52749 52748->52715 54067 40196b 49 API calls _strftime 52748->54067 53186 40b95c 7 API calls 52749->53186 52990 41246e RegOpenKeyExA 52750->52990 52753 40e046 52752->52753 53187 404c9e 28 API calls 52753->53187 52756 40e053 52758 401f66 28 API calls 52756->52758 52760 40e062 52758->52760 52759 40e12a 53002 40cbac 52759->53002 52763 41a686 79 API calls 52760->52763 52762 41ae08 28 API calls 52765 40e0a4 52762->52765 52766 40e067 52763->52766 52993 412584 RegOpenKeyExW 52765->52993 52768 401eea 11 API calls 52766->52768 52768->52750 52771 401e13 11 API calls 52774 40e0c5 52771->52774 52772 40e0ed DeleteFileW 52773 40e0f4 52772->52773 52772->52774 52776 41ae08 28 API calls 52773->52776 52774->52772 52774->52773 52775 40e0db Sleep 52774->52775 53188 401e07 52775->53188 52778 40e104 52776->52778 52998 41297a RegOpenKeyExW 52778->52998 52780 40e117 52781 401e13 11 API calls 52780->52781 52782 40e121 52781->52782 52783 401e13 11 API calls 52782->52783 52783->52759 52784->52470 52785->52475 52786->52474 52787->52484 52788->52486 52789->52489 52790->52464 52791->52467 52792->52471 52793->52493 52794->52495 52795->52498 52796->52496 52798 433c71 GetStartupInfoW 52797->52798 52798->52504 52800 44ddd2 52799->52800 52802 44dddb 52799->52802 52804 44dcc8 48 API calls 4 library calls 52800->52804 52802->52508 52803->52508 52804->52802 52806 41bd22 LoadLibraryA GetProcAddress 52805->52806 52807 41bd12 GetModuleHandleA GetProcAddress 52805->52807 52808 41bd4b 32 API calls 52806->52808 52809 41bd3b LoadLibraryA GetProcAddress 52806->52809 52807->52806 52808->52512 52809->52808 53192 41a63f FindResourceA 52810->53192 52813 43a88c ___std_exception_copy 21 API calls 52814 40e192 ctype 52813->52814 52815 401f86 28 API calls 52814->52815 52816 40e1ad 52815->52816 52817 401eef 11 API calls 52816->52817 52818 40e1b8 52817->52818 52819 401eea 11 API calls 52818->52819 52820 40e1c1 52819->52820 52821 43a88c ___std_exception_copy 21 API calls 52820->52821 52822 40e1d2 ctype 52821->52822 53195 406052 52822->53195 52824 40e205 52824->52514 52845 41afd6 52825->52845 52826 41b046 52827 401eea 11 API calls 52826->52827 52828 41b078 52827->52828 52829 401eea 11 API calls 52828->52829 52831 41b080 52829->52831 52830 41b048 52832 403b60 28 API calls 52830->52832 52834 401eea 11 API calls 52831->52834 52835 41b054 52832->52835 52836 40d7c6 52834->52836 52837 401eef 11 API calls 52835->52837 52846 40e8bd 52836->52846 52839 41b05d 52837->52839 52838 401eef 11 API calls 52838->52845 52840 401eea 11 API calls 52839->52840 52842 41b065 52840->52842 52841 401eea 11 API calls 52841->52845 53202 41bfa9 28 API calls 52842->53202 52845->52826 52845->52830 52845->52838 52845->52841 53198 403b60 52845->53198 53201 41bfa9 28 API calls 52845->53201 52847 40e8ca 52846->52847 52849 40e8da 52847->52849 53219 40200a 11 API calls 52847->53219 52849->52522 52851 401d6c 52850->52851 52852 401d74 52851->52852 53220 401fff 28 API calls 52851->53220 52852->52529 52854 401d8b 52856 404ccb 52855->52856 53221 402e78 52856->53221 52858 404cee 52858->52536 53230 404bc4 52859->53230 52861 405cf4 52861->52540 52863 401efe 52862->52863 52865 401f0a 52863->52865 53239 4021b9 52863->53239 52865->52543 52868 401ec9 52866->52868 52867 401ee4 52867->52553 52868->52867 52869 402325 28 API calls 52868->52869 52869->52867 53243 401e8f 52870->53243 52872 40bee1 CreateMutexA GetLastError 52872->52569 53245 41b15b 52873->53245 52875 41a471 53249 412513 RegOpenKeyExA 52875->53249 52878 401eef 11 API calls 52879 41a49f 52878->52879 52880 401eea 11 API calls 52879->52880 52881 41a4a7 52880->52881 52882 412513 31 API calls 52881->52882 52883 41a4fa 52881->52883 52884 41a4cd 52882->52884 52883->52574 52885 41a4d8 StrToIntA 52884->52885 52886 41a4ef 52885->52886 52887 41a4e6 52885->52887 52889 401eea 11 API calls 52886->52889 53254 41c102 22 API calls 52887->53254 52889->52883 52891 40698f 52890->52891 52892 4124b7 3 API calls 52891->52892 52893 406996 52892->52893 52893->52585 52893->52586 52895 41ae1c 52894->52895 53255 40b027 52895->53255 52897 41ae24 52897->52600 52899 401e27 52898->52899 52901 401e33 52899->52901 53264 402121 11 API calls 52899->53264 52901->52603 52903 402121 52902->52903 52904 402150 52903->52904 53265 402718 11 API calls _Deallocate 52903->53265 52904->52606 52907 4128c0 52906->52907 52908 406052 28 API calls 52907->52908 52909 4128d5 52908->52909 52910 401fbd 28 API calls 52909->52910 52911 4128e5 52910->52911 52912 4126d2 14 API calls 52911->52912 52913 4128ef 52912->52913 52914 401eea 11 API calls 52913->52914 52915 4128fc 52914->52915 52915->52650 52917 401f6e 52916->52917 53266 402301 52917->53266 52921 412722 52920->52921 52923 4126eb 52920->52923 52922 401eea 11 API calls 52921->52922 52924 40dd3b 52922->52924 52925 4126fd RegSetValueExA RegCloseKey 52923->52925 52924->52653 52925->52921 52927 43a600 _strftime 52926->52927 53270 43993e 52927->53270 52929 40dd54 52929->52659 52929->52661 52931 41a737 52930->52931 52932 41a69c GetLocalTime 52930->52932 52934 401eea 11 API calls 52931->52934 52933 404cbf 28 API calls 52932->52933 52935 41a6de 52933->52935 52936 41a73f 52934->52936 52937 405ce6 28 API calls 52935->52937 52938 401eea 11 API calls 52936->52938 52939 41a6ea 52937->52939 52940 40ddaa 52938->52940 53298 4027cb 52939->53298 52940->52677 52942 41a6f6 52943 405ce6 28 API calls 52942->52943 52944 41a702 52943->52944 53301 406478 76 API calls 52944->53301 52946 41a710 52947 401eea 11 API calls 52946->52947 52948 41a71c 52947->52948 52949 401eea 11 API calls 52948->52949 52950 41a725 52949->52950 52951 401eea 11 API calls 52950->52951 52952 41a72e 52951->52952 52953 401eea 11 API calls 52952->52953 52953->52931 52955 409536 _wcslen 52954->52955 52956 409541 52955->52956 52957 409558 52955->52957 52959 40c89e 32 API calls 52956->52959 52958 40c89e 32 API calls 52957->52958 52961 409560 52958->52961 52960 409549 52959->52960 52962 401e18 11 API calls 52960->52962 52963 401e18 11 API calls 52961->52963 52964 409553 52962->52964 52965 40956e 52963->52965 52967 401e13 11 API calls 52964->52967 52966 401e13 11 API calls 52965->52966 52968 409576 52966->52968 52969 4095ad 52967->52969 53321 40856b 28 API calls 52968->53321 53306 409837 52969->53306 52972 409588 53322 4028cf 52972->53322 52975 409593 52976 401e18 11 API calls 52975->52976 52977 40959d 52976->52977 52978 401e13 11 API calls 52977->52978 52978->52964 53348 403b40 52979->53348 52983 41a7fd 52984 4028cf 28 API calls 52983->52984 52985 41a807 52984->52985 52986 401e13 11 API calls 52985->52986 52987 41a810 52986->52987 52988 401e13 11 API calls 52987->52988 52989 40dfc3 52988->52989 52989->52730 52991 40e08b 52990->52991 52992 41248f RegQueryValueExA RegCloseKey 52990->52992 52991->52759 52991->52762 52992->52991 52994 4125b0 RegQueryValueExW RegCloseKey 52993->52994 52995 4125dd 52993->52995 52994->52995 52996 403b40 28 API calls 52995->52996 52997 40e0ba 52996->52997 52997->52771 52999 412992 RegDeleteValueW 52998->52999 53000 4129a6 52998->53000 52999->53000 53001 4129a2 52999->53001 53000->52780 53001->52780 53003 40cbc5 53002->53003 53004 41246e 3 API calls 53003->53004 53005 40cbcc 53004->53005 53009 40cbeb 53005->53009 53375 401602 53005->53375 53007 40cbd9 53378 4127d5 RegCreateKeyA 53007->53378 53010 413fd4 53009->53010 53011 413feb 53010->53011 53392 41aa73 53011->53392 53013 413ff6 53014 401d64 28 API calls 53013->53014 53015 41400f 53014->53015 53016 43a5e7 _strftime 39 API calls 53015->53016 53017 41401c 53016->53017 53018 414021 Sleep 53017->53018 53019 41402e 53017->53019 53018->53019 53020 401f66 28 API calls 53019->53020 53021 41403d 53020->53021 53022 401d64 28 API calls 53021->53022 53023 41404b 53022->53023 53024 401fbd 28 API calls 53023->53024 53025 414053 53024->53025 53026 41afc3 28 API calls 53025->53026 53027 41405b 53026->53027 53396 404262 WSAStartup 53027->53396 53029 414065 53030 401d64 28 API calls 53029->53030 53031 41406e 53030->53031 53032 401d64 28 API calls 53031->53032 53094 4140ed 53031->53094 53033 414087 53032->53033 53035 401d64 28 API calls 53033->53035 53034 401fbd 28 API calls 53034->53094 53036 414098 53035->53036 53038 401d64 28 API calls 53036->53038 53037 41afc3 28 API calls 53037->53094 53039 4140a9 53038->53039 53041 401d64 28 API calls 53039->53041 53040 4085b4 28 API calls 53040->53094 53042 4140ba 53041->53042 53044 401d64 28 API calls 53042->53044 53043 401eef 11 API calls 53043->53094 53045 4140cb 53044->53045 53046 401d64 28 API calls 53045->53046 53047 4140dd 53046->53047 53517 404101 88 API calls 53047->53517 53049 41a686 79 API calls 53049->53094 53051 414244 WSAGetLastError 53518 41bc76 30 API calls 53051->53518 53058 401d64 28 API calls 53058->53094 53059 404cbf 28 API calls 53059->53094 53060 401d64 28 API calls 53062 414b68 53060->53062 53061 401d8c 11 API calls 53061->53094 53062->53060 53064 43a5e7 _strftime 39 API calls 53062->53064 53063 4027cb 28 API calls 53063->53094 53066 414b80 Sleep 53064->53066 53065 405ce6 28 API calls 53065->53094 53066->53094 53069 4082dc 28 API calls 53069->53094 53071 41265d 3 API calls 53071->53094 53072 412513 31 API calls 53072->53094 53073 403b40 28 API calls 53073->53094 53076 401d64 28 API calls 53077 4144ed GetTickCount 53076->53077 53503 41ad46 53077->53503 53080 41ad46 28 API calls 53080->53094 53082 41aec8 28 API calls 53082->53094 53085 40275c 28 API calls 53085->53094 53086 404468 61 API calls 53086->53094 53087 401eea 11 API calls 53087->53094 53088 401e13 11 API calls 53088->53094 53090 414ae4 53539 40a767 84 API calls 53090->53539 53092 401f66 28 API calls 53092->53094 53093 414b22 CreateThread 53093->53094 54018 419e89 105 API calls 53093->54018 53094->53034 53094->53037 53094->53040 53094->53043 53094->53049 53094->53051 53094->53058 53094->53059 53094->53061 53094->53062 53094->53063 53094->53065 53094->53069 53094->53071 53094->53072 53094->53073 53094->53076 53094->53080 53094->53082 53094->53085 53094->53086 53094->53087 53094->53088 53094->53090 53094->53092 53094->53093 53397 413f9a 53094->53397 53402 4041f1 53094->53402 53409 404915 53094->53409 53424 40428c connect 53094->53424 53484 41a96d 53094->53484 53487 413683 53094->53487 53490 440c51 53094->53490 53494 40cbf1 53094->53494 53500 41adee 53094->53500 53508 41aca0 GetLastInputInfo GetTickCount 53094->53508 53509 41ac52 53094->53509 53514 40e679 GetLocaleInfoA 53094->53514 53519 404c9e 28 API calls 53094->53519 53520 4027ec 53094->53520 53524 4045d5 53094->53524 53540 4047eb WaitForSingleObject 53094->53540 53095->52530 53096->52539 53099 4085c0 53098->53099 53100 402e78 28 API calls 53099->53100 53101 4085e4 53100->53101 53101->52561 53103 4124e1 RegQueryValueExA RegCloseKey 53102->53103 53104 41250b 53102->53104 53103->53104 53104->52557 53105->52564 53106->52593 53107->52586 53108->52577 53109->52591 53111 40c8ba 53110->53111 53112 40c8da 53111->53112 53113 40c90f 53111->53113 53114 40c8d0 53111->53114 54030 41a74b 29 API calls 53112->54030 53117 41b15b 2 API calls 53113->53117 53116 40ca03 GetLongPathNameW 53114->53116 53119 403b40 28 API calls 53116->53119 53120 40c914 53117->53120 53118 40c8e3 53121 401e18 11 API calls 53118->53121 53122 40ca18 53119->53122 53123 40c918 53120->53123 53124 40c96a 53120->53124 53125 40c8ed 53121->53125 53126 403b40 28 API calls 53122->53126 53128 403b40 28 API calls 53123->53128 53127 403b40 28 API calls 53124->53127 53132 401e13 11 API calls 53125->53132 53130 40ca27 53126->53130 53131 40c978 53127->53131 53129 40c926 53128->53129 53137 403b40 28 API calls 53129->53137 54019 40cc37 53130->54019 53136 403b40 28 API calls 53131->53136 53132->53114 53139 40c98e 53136->53139 53140 40c93c 53137->53140 53138 40ca45 53141 402860 28 API calls 53138->53141 53142 402860 28 API calls 53139->53142 53143 402860 28 API calls 53140->53143 53144 40ca4f 53141->53144 53145 40c999 53142->53145 53146 40c947 53143->53146 53147 401e13 11 API calls 53144->53147 53148 401e18 11 API calls 53145->53148 53149 401e18 11 API calls 53146->53149 53150 40ca59 53147->53150 53151 40c9a4 53148->53151 53152 40c952 53149->53152 53153 401e13 11 API calls 53150->53153 53154 401e13 11 API calls 53151->53154 53155 401e13 11 API calls 53152->53155 53156 40ca62 53153->53156 53157 40c9ad 53154->53157 53158 40c95b 53155->53158 53159 401e13 11 API calls 53156->53159 53160 401e13 11 API calls 53157->53160 53161 401e13 11 API calls 53158->53161 53162 40ca6b 53159->53162 53160->53125 53161->53125 53163 401e13 11 API calls 53162->53163 53164 40ca74 53163->53164 53165 401e13 11 API calls 53164->53165 53166 40ca7d 53165->53166 53166->52639 53167->52651 53168->52673 53170 412683 RegQueryValueExA RegCloseKey 53169->53170 53171 4126a7 53169->53171 53170->53171 53171->52632 53172->52665 53173->52701 53174->52711 53176 401f66 28 API calls 53175->53176 53177 40c86b 53176->53177 53178 41ae08 28 API calls 53177->53178 53179 40c876 53178->53179 53180 40c89e 32 API calls 53179->53180 53181 40c887 53180->53181 53182 401e13 11 API calls 53181->53182 53183 40c890 53182->53183 53184 401eea 11 API calls 53183->53184 53185 40c898 53184->53185 53185->52738 53186->52723 53187->52756 53189 401e0c 53188->53189 53190->52584 53193 40e183 53192->53193 53194 41a65c LoadResource LockResource SizeofResource 53192->53194 53193->52813 53194->53193 53196 401f86 28 API calls 53195->53196 53197 406066 53196->53197 53197->52824 53203 403c30 53198->53203 53201->52845 53202->52826 53204 403c39 53203->53204 53207 403c59 53204->53207 53208 403c68 53207->53208 53213 4032a4 53208->53213 53210 403c74 53211 402325 28 API calls 53210->53211 53212 403b73 53211->53212 53212->52845 53214 4032b0 53213->53214 53215 4032ad 53213->53215 53218 4032b6 22 API calls 53214->53218 53215->53210 53219->52849 53220->52854 53223 402e85 53221->53223 53222 402ea9 53222->52858 53223->53222 53224 402e98 53223->53224 53226 402eae 53223->53226 53228 403445 28 API calls 53224->53228 53226->53222 53229 40225b 11 API calls 53226->53229 53228->53222 53229->53222 53231 404bd0 53230->53231 53234 40245c 53231->53234 53233 404be4 53233->52861 53235 402469 53234->53235 53237 402478 53235->53237 53238 402ad3 28 API calls 53235->53238 53237->53233 53238->53237 53241 4021c6 53239->53241 53240 4021e8 53240->52865 53241->53240 53242 40262e 11 API calls 53241->53242 53242->53240 53244 401e94 53243->53244 53246 41b183 53245->53246 53247 41b168 GetCurrentProcess IsWow64Process 53245->53247 53246->52875 53247->53246 53248 41b17f 53247->53248 53248->52875 53250 412541 RegQueryValueExA RegCloseKey 53249->53250 53251 412569 53249->53251 53250->53251 53252 401f66 28 API calls 53251->53252 53253 41257e 53252->53253 53253->52878 53254->52886 53256 40b02f 53255->53256 53259 40b04b 53256->53259 53258 40b045 53258->52897 53260 40b055 53259->53260 53262 40b060 53260->53262 53263 40b138 28 API calls 53260->53263 53262->53258 53263->53262 53264->52901 53265->52904 53267 40230d 53266->53267 53268 402325 28 API calls 53267->53268 53269 401f80 53268->53269 53269->52644 53286 43a545 53270->53286 53272 43998b 53292 4392de 35 API calls 3 library calls 53272->53292 53273 439950 53273->53272 53274 439965 53273->53274 53285 43996a pre_c_initialization 53273->53285 53291 445354 20 API calls _free 53274->53291 53278 439997 53279 4399c6 53278->53279 53293 43a58a 39 API calls __Tolower 53278->53293 53282 439a32 53279->53282 53294 43a4f1 20 API calls 2 library calls 53279->53294 53295 43a4f1 20 API calls 2 library calls 53282->53295 53283 439af9 _strftime 53283->53285 53296 445354 20 API calls _free 53283->53296 53285->52929 53287 43a54a 53286->53287 53288 43a55d 53286->53288 53297 445354 20 API calls _free 53287->53297 53288->53273 53290 43a54f pre_c_initialization 53290->53273 53291->53285 53292->53278 53293->53278 53294->53282 53295->53283 53296->53285 53297->53290 53302 401e9b 53298->53302 53300 4027d9 53300->52942 53301->52946 53303 401ea7 53302->53303 53304 40245c 28 API calls 53303->53304 53305 401eb9 53304->53305 53305->53300 53307 409855 53306->53307 53308 4124b7 3 API calls 53307->53308 53309 40985c 53308->53309 53310 409870 53309->53310 53311 40988a 53309->53311 53312 4095cf 53310->53312 53313 409875 53310->53313 53314 4082dc 28 API calls 53311->53314 53312->52696 53325 4082dc 53313->53325 53316 409898 53314->53316 53330 4098a5 85 API calls 53316->53330 53320 409888 53320->53312 53321->52972 53339 402d8b 53322->53339 53324 4028dd 53324->52975 53326 4082eb 53325->53326 53331 408431 53326->53331 53328 408309 53329 409959 29 API calls 53328->53329 53329->53320 53336 40999f 130 API calls 53329->53336 53330->53312 53337 4099b5 53 API calls 53330->53337 53338 4099a9 125 API calls 53330->53338 53332 40843d 53331->53332 53334 40845b 53332->53334 53335 402f0d 28 API calls 53332->53335 53334->53328 53335->53334 53340 402d97 53339->53340 53343 4030f7 53340->53343 53342 402dab 53342->53324 53344 403101 53343->53344 53346 403115 53344->53346 53347 4036c2 28 API calls 53344->53347 53346->53342 53347->53346 53349 403b48 53348->53349 53355 403b7a 53349->53355 53352 403cbb 53364 403dc2 53352->53364 53354 403cc9 53354->52983 53356 403b86 53355->53356 53359 403b9e 53356->53359 53358 403b5a 53358->53352 53360 403ba8 53359->53360 53362 403bb3 53360->53362 53363 403cfd 28 API calls 53360->53363 53362->53358 53363->53362 53365 403dce 53364->53365 53368 402ffd 53365->53368 53367 403de3 53367->53354 53369 40300e 53368->53369 53370 4032a4 22 API calls 53369->53370 53371 40301a 53370->53371 53373 40302e 53371->53373 53374 4035e8 28 API calls 53371->53374 53373->53367 53374->53373 53381 4395ba 53375->53381 53379 412814 53378->53379 53380 4127ed RegSetValueExA RegCloseKey 53378->53380 53379->53009 53380->53379 53384 43953b 53381->53384 53383 401608 53383->53007 53385 43954a 53384->53385 53386 43955e 53384->53386 53390 445354 20 API calls _free 53385->53390 53389 43954f pre_c_initialization __alldvrm 53386->53389 53391 447601 11 API calls 2 library calls 53386->53391 53389->53383 53390->53389 53391->53389 53393 41aab9 ctype ___scrt_fastfail 53392->53393 53394 401f66 28 API calls 53393->53394 53395 41ab2e 53394->53395 53395->53013 53396->53029 53398 413fb3 getaddrinfo WSASetLastError 53397->53398 53399 413fa9 53397->53399 53398->53094 53553 413e37 29 API calls ___std_exception_copy 53399->53553 53401 413fae 53401->53398 53403 404206 socket 53402->53403 53404 4041fd 53402->53404 53405 404220 53403->53405 53406 404224 CreateEventW 53403->53406 53554 404262 WSAStartup 53404->53554 53405->53094 53406->53094 53408 404202 53408->53403 53408->53405 53410 4049b1 53409->53410 53411 40492a 53409->53411 53410->53094 53412 404933 53411->53412 53413 404987 CreateEventA CreateThread 53411->53413 53414 404942 GetLocalTime 53411->53414 53412->53413 53413->53410 53556 404b1d 53413->53556 53415 41ad46 28 API calls 53414->53415 53416 40495b 53415->53416 53555 404c9e 28 API calls 53416->53555 53418 404968 53419 401f66 28 API calls 53418->53419 53420 404977 53419->53420 53421 41a686 79 API calls 53420->53421 53422 40497c 53421->53422 53423 401eea 11 API calls 53422->53423 53423->53413 53425 4043e1 53424->53425 53426 4042b3 53424->53426 53427 404343 53425->53427 53428 4043e7 WSAGetLastError 53425->53428 53426->53427 53429 4042e8 53426->53429 53432 404cbf 28 API calls 53426->53432 53427->53094 53428->53427 53430 4043f7 53428->53430 53560 420151 27 API calls 53429->53560 53433 4042f7 53430->53433 53434 4043fc 53430->53434 53436 4042d4 53432->53436 53440 401f66 28 API calls 53433->53440 53565 41bc76 30 API calls 53434->53565 53435 4042f0 53435->53433 53439 404306 53435->53439 53441 401f66 28 API calls 53436->53441 53438 40440b 53566 404c9e 28 API calls 53438->53566 53449 404315 53439->53449 53450 40434c 53439->53450 53443 404448 53440->53443 53444 4042e3 53441->53444 53447 401f66 28 API calls 53443->53447 53445 41a686 79 API calls 53444->53445 53445->53429 53446 404418 53448 401f66 28 API calls 53446->53448 53451 404457 53447->53451 53452 404427 53448->53452 53454 401f66 28 API calls 53449->53454 53562 420f34 54 API calls 53450->53562 53455 41a686 79 API calls 53451->53455 53456 41a686 79 API calls 53452->53456 53458 404324 53454->53458 53455->53427 53459 40442c 53456->53459 53457 404354 53460 404389 53457->53460 53461 404359 53457->53461 53462 401f66 28 API calls 53458->53462 53464 401eea 11 API calls 53459->53464 53564 4202ea 28 API calls 53460->53564 53465 401f66 28 API calls 53461->53465 53466 404333 53462->53466 53464->53427 53468 404368 53465->53468 53469 41a686 79 API calls 53466->53469 53467 404391 53470 4043be CreateEventW CreateEventW 53467->53470 53473 401f66 28 API calls 53467->53473 53471 401f66 28 API calls 53468->53471 53472 404338 53469->53472 53470->53427 53474 404377 53471->53474 53561 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53472->53561 53476 4043a7 53473->53476 53477 41a686 79 API calls 53474->53477 53478 401f66 28 API calls 53476->53478 53479 40437c 53477->53479 53480 4043b6 53478->53480 53563 420592 52 API calls 53479->53563 53482 41a686 79 API calls 53480->53482 53483 4043bb 53482->53483 53483->53470 53567 41a945 GlobalMemoryStatusEx 53484->53567 53486 41a982 53486->53094 53568 413646 53487->53568 53491 440c5d 53490->53491 53606 440a4d 53491->53606 53493 440c7e 53493->53094 53495 40cc0d 53494->53495 53496 41246e 3 API calls 53495->53496 53498 40cc14 53496->53498 53497 40cc2c 53497->53094 53498->53497 53499 4124b7 3 API calls 53498->53499 53499->53497 53501 401f86 28 API calls 53500->53501 53502 41ae03 53501->53502 53502->53094 53504 440c51 20 API calls 53503->53504 53505 41ad67 53504->53505 53506 401f66 28 API calls 53505->53506 53507 41ad75 53506->53507 53507->53094 53508->53094 53510 436050 ___scrt_fastfail 53509->53510 53511 41ac71 GetForegroundWindow GetWindowTextW 53510->53511 53512 403b40 28 API calls 53511->53512 53513 41ac9b 53512->53513 53513->53094 53515 401f66 28 API calls 53514->53515 53516 40e69e 53515->53516 53516->53094 53517->53094 53518->53094 53519->53094 53521 4027f8 53520->53521 53522 402e78 28 API calls 53521->53522 53523 402814 53522->53523 53523->53094 53527 4045ec 53524->53527 53525 43a88c ___std_exception_copy 21 API calls 53525->53527 53527->53525 53528 401f86 28 API calls 53527->53528 53529 404666 53527->53529 53530 401eef 11 API calls 53527->53530 53533 401eea 11 API calls 53527->53533 53611 40455b 53527->53611 53617 404688 53527->53617 53528->53527 53531 4047eb 98 API calls 53529->53531 53530->53527 53532 40466d 53531->53532 53534 401eea 11 API calls 53532->53534 53533->53527 53535 404676 53534->53535 53536 401eea 11 API calls 53535->53536 53537 40467f 53536->53537 53537->53094 53539->53094 53541 404805 SetEvent CloseHandle 53540->53541 53542 40481c closesocket 53540->53542 53543 40489c 53541->53543 53544 404829 53542->53544 53543->53094 53545 40483f 53544->53545 54015 404ab1 83 API calls 53544->54015 53546 404851 WaitForSingleObject 53545->53546 53547 404892 SetEvent CloseHandle 53545->53547 54016 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53546->54016 53547->53543 53550 404860 SetEvent WaitForSingleObject 54017 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53550->54017 53552 404878 SetEvent CloseHandle CloseHandle 53552->53547 53553->53401 53554->53408 53555->53418 53559 404b29 101 API calls 53556->53559 53558 404b26 53559->53558 53560->53435 53561->53427 53562->53457 53563->53472 53564->53467 53565->53438 53566->53446 53567->53486 53571 413619 53568->53571 53572 41362e ___scrt_initialize_default_local_stdio_options 53571->53572 53575 43e2dd 53572->53575 53578 43b030 53575->53578 53579 43b070 53578->53579 53580 43b058 53578->53580 53579->53580 53582 43b078 53579->53582 53600 445354 20 API calls _free 53580->53600 53601 4392de 35 API calls 3 library calls 53582->53601 53583 43b05d pre_c_initialization 53593 433d2c 53583->53593 53585 43b088 53602 43b7b6 20 API calls 2 library calls 53585->53602 53588 43b100 53603 43be24 50 API calls 3 library calls 53588->53603 53589 41363c 53589->53094 53592 43b10b 53604 43b820 20 API calls _free 53592->53604 53594 433d37 IsProcessorFeaturePresent 53593->53594 53595 433d35 53593->53595 53597 4341a4 53594->53597 53595->53589 53605 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53597->53605 53599 434287 53599->53589 53600->53583 53601->53585 53602->53588 53603->53592 53604->53583 53605->53599 53607 440a64 53606->53607 53609 440a9b pre_c_initialization 53607->53609 53610 445354 20 API calls _free 53607->53610 53609->53493 53610->53609 53612 404592 recv 53611->53612 53613 404565 WaitForSingleObject 53611->53613 53615 4045a5 53612->53615 53630 420556 54 API calls 53613->53630 53615->53527 53616 404581 SetEvent 53616->53615 53620 4046a3 53617->53620 53618 4047d8 53619 401eea 11 API calls 53618->53619 53621 4047e1 53619->53621 53620->53618 53622 401eef 11 API calls 53620->53622 53623 401eea 11 API calls 53620->53623 53624 401fbd 28 API calls 53620->53624 53625 401ebd 28 API calls 53620->53625 53627 403b60 28 API calls 53620->53627 53629 402654 11 API calls 53620->53629 53631 411b60 53620->53631 53621->53527 53622->53620 53623->53620 53624->53620 53626 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 53625->53626 53626->53620 53930 414b9b 53626->53930 53627->53620 53629->53620 53630->53616 53632 411b72 53631->53632 53633 403b60 28 API calls 53632->53633 53634 411b85 53633->53634 53635 401fbd 28 API calls 53634->53635 53636 411b94 53635->53636 53637 401fbd 28 API calls 53636->53637 53638 411ba3 53637->53638 53639 41afc3 28 API calls 53638->53639 53640 411bac 53639->53640 53641 411c60 53640->53641 53643 401d64 28 API calls 53640->53643 53642 401d8c 11 API calls 53641->53642 53645 411c69 53642->53645 53644 411bc8 53643->53644 53646 401fbd 28 API calls 53644->53646 53647 401eea 11 API calls 53645->53647 53648 411bd0 53646->53648 53649 411c72 53647->53649 53650 401d64 28 API calls 53648->53650 53651 401eea 11 API calls 53649->53651 53653 411be0 53650->53653 53652 411c7a 53651->53652 53652->53620 53654 401fbd 28 API calls 53653->53654 53655 411be8 53654->53655 53656 401d64 28 API calls 53655->53656 53657 411bf8 53656->53657 53658 401fbd 28 API calls 53657->53658 53659 411c00 53658->53659 53660 401d64 28 API calls 53659->53660 53661 411c10 53660->53661 53662 401fbd 28 API calls 53661->53662 53663 411c18 53662->53663 53664 401d64 28 API calls 53663->53664 53665 411c28 53664->53665 53666 401fbd 28 API calls 53665->53666 53667 411c30 53666->53667 53668 401d64 28 API calls 53667->53668 53669 411c43 53668->53669 53670 401fbd 28 API calls 53669->53670 53671 411c4b 53670->53671 53675 411c81 GetModuleFileNameW 53671->53675 53674 4047eb 98 API calls 53674->53641 53697 411cac 53675->53697 53676 41ab38 42 API calls 53676->53697 53677 40c854 32 API calls 53677->53697 53678 401eea 11 API calls 53678->53697 53679 403cbb 28 API calls 53679->53697 53680 403cdc 28 API calls 53680->53697 53681 4028cf 28 API calls 53681->53697 53682 401e13 11 API calls 53682->53697 53683 411dea Sleep 53683->53697 53684 4176b6 31 API calls 53684->53697 53685 411e8c Sleep 53685->53697 53686 403b40 28 API calls 53686->53697 53687 411f2e Sleep 53687->53697 53688 411f90 DeleteFileW 53688->53697 53689 41b61a 32 API calls 53689->53697 53690 411fc7 DeleteFileW 53690->53697 53691 412019 Sleep 53691->53697 53692 412003 DeleteFileW 53692->53697 53693 412092 53694 401e13 11 API calls 53693->53694 53695 41209e 53694->53695 53696 401e13 11 API calls 53695->53696 53698 4120aa 53696->53698 53697->53676 53697->53677 53697->53678 53697->53679 53697->53680 53697->53681 53697->53682 53697->53683 53697->53684 53697->53685 53697->53686 53697->53687 53697->53688 53697->53689 53697->53690 53697->53691 53697->53692 53697->53693 53701 41205e Sleep 53697->53701 53699 401e13 11 API calls 53698->53699 53700 4120b6 53699->53700 53702 40b027 28 API calls 53700->53702 53703 401e13 11 API calls 53701->53703 53704 4120c9 53702->53704 53708 41206e 53703->53708 53706 401fbd 28 API calls 53704->53706 53705 401e13 11 API calls 53705->53708 53707 4120e9 53706->53707 53817 4123f7 53707->53817 53708->53697 53708->53705 53710 412090 53708->53710 53710->53700 53712 401e13 11 API calls 53713 412100 53712->53713 53714 412125 53713->53714 53715 412274 53713->53715 53829 41aec8 53714->53829 53716 41aec8 28 API calls 53715->53716 53718 41227d 53716->53718 53721 4027ec 28 API calls 53718->53721 53720 41ad46 28 API calls 53723 412146 53720->53723 53722 4122b2 53721->53722 53724 4027cb 28 API calls 53722->53724 53725 4027ec 28 API calls 53723->53725 53726 4122c1 53724->53726 53727 412176 53725->53727 53728 4027cb 28 API calls 53726->53728 53729 4027cb 28 API calls 53727->53729 53730 4122cd 53728->53730 53731 412185 53729->53731 53732 4027cb 28 API calls 53730->53732 53733 4027cb 28 API calls 53731->53733 53734 4122dc 53732->53734 53735 412194 53733->53735 53736 4027cb 28 API calls 53734->53736 53737 4027cb 28 API calls 53735->53737 53738 4122eb 53736->53738 53739 4121a3 53737->53739 53740 4027cb 28 API calls 53738->53740 53741 4027cb 28 API calls 53739->53741 53742 4122fa 53740->53742 53743 4121b2 53741->53743 53744 4027cb 28 API calls 53742->53744 53745 4027cb 28 API calls 53743->53745 53746 412309 53744->53746 53747 4121be 53745->53747 53835 40275c 28 API calls 53746->53835 53749 4027cb 28 API calls 53747->53749 53751 4121ca 53749->53751 53750 412313 53753 404468 61 API calls 53750->53753 53833 40275c 28 API calls 53751->53833 53754 412320 53753->53754 53756 401eea 11 API calls 53754->53756 53755 4121d9 53757 4027cb 28 API calls 53755->53757 53758 41232c 53756->53758 53759 4121e5 53757->53759 53760 401eea 11 API calls 53758->53760 53834 40275c 28 API calls 53759->53834 53762 412338 53760->53762 53764 401eea 11 API calls 53762->53764 53763 4121ef 53765 404468 61 API calls 53763->53765 53766 412344 53764->53766 53767 4121fc 53765->53767 53768 401eea 11 API calls 53766->53768 53769 401eea 11 API calls 53767->53769 53770 412350 53768->53770 53771 412205 53769->53771 53772 401eea 11 API calls 53770->53772 53773 401eea 11 API calls 53771->53773 53774 412359 53772->53774 53775 41220e 53773->53775 53776 401eea 11 API calls 53774->53776 53777 401eea 11 API calls 53775->53777 53778 412362 53776->53778 53779 412217 53777->53779 53780 401eea 11 API calls 53778->53780 53781 401eea 11 API calls 53779->53781 53782 412268 53780->53782 53783 412220 53781->53783 53785 401eea 11 API calls 53782->53785 53784 401eea 11 API calls 53783->53784 53786 41222c 53784->53786 53787 412374 53785->53787 53788 401eea 11 API calls 53786->53788 53789 401e13 11 API calls 53787->53789 53790 412238 53788->53790 53791 412380 53789->53791 53792 401eea 11 API calls 53790->53792 53793 401eea 11 API calls 53791->53793 53794 412244 53792->53794 53795 41238c 53793->53795 53796 401eea 11 API calls 53794->53796 53797 401eea 11 API calls 53795->53797 53798 412250 53796->53798 53799 412398 53797->53799 53800 401eea 11 API calls 53798->53800 53801 401eea 11 API calls 53799->53801 53802 41225c 53800->53802 53803 4123a4 53801->53803 53804 401eea 11 API calls 53802->53804 53805 401eea 11 API calls 53803->53805 53804->53782 53806 4123b0 53805->53806 53807 401eea 11 API calls 53806->53807 53808 4123bc 53807->53808 53809 401eea 11 API calls 53808->53809 53810 4123c8 53809->53810 53811 401eea 11 API calls 53810->53811 53812 4123d4 53811->53812 53813 401eea 11 API calls 53812->53813 53814 4123e0 53813->53814 53815 401eea 11 API calls 53814->53815 53816 411c50 53815->53816 53816->53674 53818 412435 53817->53818 53820 412406 53817->53820 53819 412444 53818->53819 53839 10001c5b 53818->53839 53821 403b40 28 API calls 53819->53821 53836 410b0d 53820->53836 53822 412450 53821->53822 53824 401eea 11 API calls 53822->53824 53826 4120f4 53824->53826 53826->53712 53830 41aed5 53829->53830 53831 401f86 28 API calls 53830->53831 53832 412131 53831->53832 53832->53720 53833->53755 53834->53763 53835->53750 53844 410b19 53836->53844 53840 10001c6b ___scrt_fastfail 53839->53840 53891 100012ee 53840->53891 53842 10001c87 53842->53819 53843 410d8d 22 API calls ___std_exception_copy 53843->53818 53875 4105b9 53844->53875 53846 410b38 53848 4105b9 SetLastError 53846->53848 53861 410c1f SetLastError 53846->53861 53872 410b15 53846->53872 53850 410b5f 53848->53850 53849 410bbf GetNativeSystemInfo 53851 410bd6 53849->53851 53850->53849 53850->53850 53850->53861 53850->53872 53851->53861 53878 410abe VirtualAlloc 53851->53878 53853 410bfe 53854 410c26 GetProcessHeap HeapAlloc 53853->53854 53888 410abe VirtualAlloc 53853->53888 53856 410c3d 53854->53856 53857 410c4f 53854->53857 53889 410ad5 VirtualFree 53856->53889 53860 4105b9 SetLastError 53857->53860 53858 410c16 53858->53854 53858->53861 53862 410c98 53860->53862 53861->53872 53863 410d45 53862->53863 53879 410abe VirtualAlloc 53862->53879 53890 410eb0 GetProcessHeap HeapFree 53863->53890 53866 410cb1 ctype 53880 4105cc SetLastError ctype ___scrt_fastfail 53866->53880 53868 410cdd 53868->53863 53881 410975 24 API calls 53868->53881 53870 410d04 53870->53863 53882 410769 53870->53882 53872->53843 53873 410d0f 53873->53863 53873->53872 53874 410d3a SetLastError 53873->53874 53874->53863 53876 4105c8 53875->53876 53877 4105bd SetLastError 53875->53877 53876->53846 53877->53846 53878->53853 53879->53866 53880->53868 53881->53870 53886 410790 53882->53886 53883 41087f 53884 4106d3 VirtualProtect 53883->53884 53885 410891 53884->53885 53885->53873 53886->53883 53886->53885 53887 4106d3 VirtualProtect 53886->53887 53887->53886 53888->53858 53889->53861 53890->53872 53892 10001324 ___scrt_fastfail 53891->53892 53893 100013b7 GetEnvironmentVariableW 53892->53893 53917 100010f1 53893->53917 53896 100010f1 57 API calls 53897 10001465 53896->53897 53898 100010f1 57 API calls 53897->53898 53899 10001479 53898->53899 53900 100010f1 57 API calls 53899->53900 53901 1000148d 53900->53901 53902 100010f1 57 API calls 53901->53902 53903 100014a1 53902->53903 53904 100010f1 57 API calls 53903->53904 53905 100014b5 lstrlenW 53904->53905 53906 100014d2 53905->53906 53907 100014d9 lstrlenW 53905->53907 53906->53842 53908 100010f1 57 API calls 53907->53908 53909 10001501 lstrlenW lstrcatW 53908->53909 53910 100010f1 57 API calls 53909->53910 53911 10001539 lstrlenW lstrcatW 53910->53911 53912 100010f1 57 API calls 53911->53912 53913 1000156b lstrlenW lstrcatW 53912->53913 53914 100010f1 57 API calls 53913->53914 53915 1000159d lstrlenW lstrcatW 53914->53915 53916 100010f1 57 API calls 53915->53916 53916->53906 53918 10001118 ___scrt_fastfail 53917->53918 53919 10001129 lstrlenW 53918->53919 53920 10002c40 ___scrt_fastfail 53919->53920 53921 10001148 lstrcatW lstrlenW 53920->53921 53922 10001177 lstrlenW FindFirstFileW 53921->53922 53923 10001168 lstrlenW 53921->53923 53924 100011a0 53922->53924 53925 100011e1 53922->53925 53923->53922 53926 100011c7 FindNextFileW 53924->53926 53927 100011aa 53924->53927 53925->53896 53926->53924 53928 100011da FindClose 53926->53928 53927->53926 53929 10001000 49 API calls 53927->53929 53928->53925 53929->53927 53931 401fbd 28 API calls 53930->53931 53932 414bbd SetEvent 53931->53932 53933 414bd2 53932->53933 53934 403b60 28 API calls 53933->53934 53935 414bec 53934->53935 53936 401fbd 28 API calls 53935->53936 53937 414bfc 53936->53937 53938 401fbd 28 API calls 53937->53938 53939 414c0e 53938->53939 53940 41afc3 28 API calls 53939->53940 53941 414c17 53940->53941 53942 414d8a 53941->53942 53943 414c37 GetTickCount 53941->53943 54004 414d99 53941->54004 53944 401d8c 11 API calls 53942->53944 53945 41ad46 28 API calls 53943->53945 53946 4161fb 53944->53946 53948 414c4d 53945->53948 53949 401eea 11 API calls 53946->53949 53947 414dad 54014 404ab1 83 API calls 53947->54014 54009 41aca0 GetLastInputInfo GetTickCount 53948->54009 53952 416207 53949->53952 53955 401eea 11 API calls 53952->53955 53953 414d7d 53953->53942 53954 414c54 53956 41ad46 28 API calls 53954->53956 53957 416213 53955->53957 53958 414c5f 53956->53958 53959 41ac52 30 API calls 53958->53959 53960 414c6d 53959->53960 53961 41aec8 28 API calls 53960->53961 53962 414c7b 53961->53962 53963 401d64 28 API calls 53962->53963 53964 414c89 53963->53964 53965 4027ec 28 API calls 53964->53965 53966 414c97 53965->53966 54010 40275c 28 API calls 53966->54010 53968 414ca6 53969 4027cb 28 API calls 53968->53969 53970 414cb5 53969->53970 54011 40275c 28 API calls 53970->54011 53972 414cc4 53973 4027cb 28 API calls 53972->53973 53974 414cd0 53973->53974 54012 40275c 28 API calls 53974->54012 53976 414cda 53977 404468 61 API calls 53976->53977 53978 414ce9 53977->53978 53979 401eea 11 API calls 53978->53979 53980 414cf2 53979->53980 53981 401eea 11 API calls 53980->53981 53982 414cfe 53981->53982 53983 401eea 11 API calls 53982->53983 53984 414d0a 53983->53984 53985 401eea 11 API calls 53984->53985 53986 414d16 53985->53986 53987 401eea 11 API calls 53986->53987 53988 414d22 53987->53988 53989 401eea 11 API calls 53988->53989 53990 414d2e 53989->53990 53991 401e13 11 API calls 53990->53991 53992 414d3a 53991->53992 53993 401eea 11 API calls 53992->53993 53994 414d43 53993->53994 53995 401eea 11 API calls 53994->53995 53996 414d4c 53995->53996 53997 401d64 28 API calls 53996->53997 53998 414d57 53997->53998 53999 43a5e7 _strftime 39 API calls 53998->53999 54000 414d64 53999->54000 54001 414d69 54000->54001 54002 414d8f 54000->54002 54005 414d82 54001->54005 54006 414d77 54001->54006 54003 401d64 28 API calls 54002->54003 54003->54004 54004->53942 54004->53947 54008 404915 104 API calls 54005->54008 54013 4049ba 81 API calls 54006->54013 54008->53942 54009->53954 54010->53968 54011->53972 54012->53976 54013->53953 54014->53953 54015->53545 54016->53550 54017->53552 54020 40cc3f 54019->54020 54021 403b9e 28 API calls 54020->54021 54022 40ca3a 54021->54022 54023 402860 54022->54023 54027 40286f 54023->54027 54024 4028b1 54032 402daf 54024->54032 54026 4028af 54026->53138 54027->54024 54028 4028a6 54027->54028 54031 402d68 28 API calls 54028->54031 54030->53118 54031->54026 54033 402dbb 54032->54033 54034 4030f7 28 API calls 54033->54034 54035 402dcd 54034->54035 54035->54026 54038 40e56a 54036->54038 54037 4124b7 3 API calls 54037->54038 54038->54037 54039 40e60e 54038->54039 54041 40e5fe Sleep 54038->54041 54046 40e59c 54038->54046 54042 4082dc 28 API calls 54039->54042 54040 4082dc 28 API calls 54040->54046 54041->54038 54043 40e619 54042->54043 54047 41ae08 28 API calls 54043->54047 54045 41ae08 28 API calls 54045->54046 54046->54040 54046->54041 54046->54045 54051 401e13 11 API calls 54046->54051 54054 401f66 28 API calls 54046->54054 54058 4126d2 14 API calls 54046->54058 54069 40bf04 73 API calls ___scrt_fastfail 54046->54069 54070 412774 14 API calls 54046->54070 54048 40e625 54047->54048 54071 412774 14 API calls 54048->54071 54051->54046 54052 40e638 54053 401e13 11 API calls 54052->54053 54055 40e644 54053->54055 54054->54046 54056 401f66 28 API calls 54055->54056 54057 40e655 54056->54057 54059 4126d2 14 API calls 54057->54059 54058->54046 54060 40e668 54059->54060 54072 411699 TerminateProcess WaitForSingleObject 54060->54072 54062 40e670 ExitProcess 54073 411637 62 API calls 54064->54073 54070->54046 54071->54052 54072->54062 54074 41569e 54075 401d64 28 API calls 54074->54075 54076 4156b3 54075->54076 54077 401fbd 28 API calls 54076->54077 54078 4156bb 54077->54078 54079 401d64 28 API calls 54078->54079 54080 4156cb 54079->54080 54081 401fbd 28 API calls 54080->54081 54082 4156d3 54081->54082 54085 411aed 54082->54085 54086 4041f1 3 API calls 54085->54086 54087 411b01 54086->54087 54088 40428c 97 API calls 54087->54088 54089 411b09 54088->54089 54090 4027ec 28 API calls 54089->54090 54091 411b22 54090->54091 54092 4027cb 28 API calls 54091->54092 54093 411b2c 54092->54093 54094 404468 61 API calls 54093->54094 54095 411b36 54094->54095 54096 401eea 11 API calls 54095->54096 54097 411b3e 54096->54097 54098 4045d5 261 API calls 54097->54098 54099 411b4c 54098->54099 54100 401eea 11 API calls 54099->54100 54101 411b54 54100->54101 54102 401eea 11 API calls 54101->54102 54103 411b5c 54102->54103

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                • API String ID: 384173800-625181639
                                                                                                • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 79->90 91 40d9ae-40d9b0 79->91 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a463 90->93 94 40d9be 90->94 92 40dc95 91->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 128 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 129 40da2d call 4069ba 107->129 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 128->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 128->164 129->128 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 196 40dbf3 178->196 197 40dbe6-40dbf1 call 436050 178->197 188->163 202 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->202 197->202 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 291 40dc93 274->291 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 291->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                APIs
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000104), ref: 0040D790
                                                                                                  • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                • String ID: \o$0?o$0DG$Access Level: $Administrator$C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-QYW18E$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt
                                                                                                • API String ID: 2830904901-1311693770
                                                                                                • Opcode ID: 43aaed5b369b5bfe2ebad6f5098ff0b067cd3c122446e124b97338107f89e63e
                                                                                                • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                • Opcode Fuzzy Hash: 43aaed5b369b5bfe2ebad6f5098ff0b067cd3c122446e124b97338107f89e63e
                                                                                                • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 447 417245-417262 448 417266-4172d9 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 447->448 449 4175cd 448->449 450 4172df-4172e6 448->450 451 4175cf-4175d9 449->451 450->449 452 4172ec-4172f3 450->452 452->449 453 4172f9-4172fb 452->453 453->449 454 417301-41732d call 436050 * 2 453->454 454->449 459 417333-41733e 454->459 459->449 460 417344-417374 CreateProcessW 459->460 461 4175c7 GetLastError 460->461 462 41737a-4173a2 VirtualAlloc Wow64GetThreadContext 460->462 461->449 463 417593-4175c5 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->463 464 4173a8-4173c8 ReadProcessMemory 462->464 463->449 464->463 465 4173ce-4173ee NtCreateSection 464->465 465->463 466 4173f4-417401 465->466 467 417403-41740e NtUnmapViewOfSection 466->467 468 417414-417436 NtMapViewOfSection 466->468 467->468 469 417477-41749e GetCurrentProcess NtMapViewOfSection 468->469 470 417438-417466 VirtualFree NtClose TerminateProcess 468->470 471 417591 469->471 472 4174a4-4174a6 469->472 470->449 473 41746c-417472 470->473 471->463 474 4174a8-4174ac 472->474 475 4174af-4174d6 call 435ad0 472->475 473->448 474->475 478 417516-417520 475->478 479 4174d8-4174e2 475->479 481 417522-417528 478->481 482 41753e-417542 478->482 480 4174e6-417509 call 435ad0 479->480 492 41750b-417512 480->492 481->482 486 41752a-41753b call 417651 481->486 483 417544-417560 WriteProcessMemory 482->483 484 417566-41757d Wow64SetThreadContext 482->484 483->463 487 417562 483->487 484->463 488 41757f-41758b ResumeThread 484->488 486->482 487->484 488->463 491 41758d-41758f 488->491 491->451 492->478
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
                                                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
                                                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                • NtClose.NTDLL(?), ref: 0041744A
                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                • NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
                                                                                                • NtClose.NTDLL(?), ref: 004175B6
                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                • GetLastError.KERNEL32 ref: 004175C7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                • API String ID: 3150337530-3035715614
                                                                                                • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1484 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1491 10001177-1000119e lstrlenW FindFirstFileW 1484->1491 1492 10001168-10001172 lstrlenW 1484->1492 1493 100011a0-100011a8 1491->1493 1494 100011e1-100011e9 1491->1494 1492->1491 1495 100011c7-100011d8 FindNextFileW 1493->1495 1496 100011aa-100011c4 call 10001000 1493->1496 1495->1493 1497 100011da-100011db FindClose 1495->1497 1496->1495 1497->1494
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 1083526818-0
                                                                                                • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                  • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                • String ID: \o$5.3.0 Pro$override$pth_unenc
                                                                                                • API String ID: 2281282204-3831945504
                                                                                                • Opcode ID: 2461c045ef1dac3841d48b1deb4288f8669071a9a0de27c7ec177a3bdcb1d130
                                                                                                • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                • Opcode Fuzzy Hash: 2461c045ef1dac3841d48b1deb4288f8669071a9a0de27c7ec177a3bdcb1d130
                                                                                                • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                APIs
                                                                                                  • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                • String ID:
                                                                                                • API String ID: 3525466593-0
                                                                                                • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                Strings
                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Create$EventLocalThreadTime
                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                • API String ID: 2532271599-1507639952
                                                                                                • Opcode ID: e19e58dcac3ce5d27b871b0be8e523833685dd75a28e9a7082eec7a4ce1bbe88
                                                                                                • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                • Opcode Fuzzy Hash: e19e58dcac3ce5d27b871b0be8e523833685dd75a28e9a7082eec7a4ce1bbe88
                                                                                                • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                APIs
                                                                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                • String ID:
                                                                                                • API String ID: 1815803762-0
                                                                                                • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                APIs
                                                                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Name$ComputerUser
                                                                                                • String ID:
                                                                                                • API String ID: 4229901323-0
                                                                                                • Opcode ID: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                                                                                • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                • Opcode Fuzzy Hash: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                                                                                • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                APIs
                                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,@o,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID:
                                                                                                • API String ID: 2299586839-0
                                                                                                • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                                                                • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                                                                • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: recv
                                                                                                • String ID:
                                                                                                • API String ID: 1507349165-0
                                                                                                • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 494 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 507 414021-414028 Sleep 494->507 508 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 494->508 507->508 523 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 508->523 524 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 508->524 577 41419a-4141a1 523->577 578 41418c-414198 523->578 524->523 579 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 577->579 578->579 606 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 579->606 607 41428f-41429d call 4041f1 579->607 629 414b54-414b66 call 4047eb call 4020b4 606->629 612 4142ca-4142df call 404915 call 40428c 607->612 613 41429f-4142c5 call 401f66 * 2 call 41a686 607->613 628 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 612->628 612->629 613->629 694 414434-414441 call 40541d 628->694 695 414446-41446d call 401e8f call 412513 628->695 642 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 629->642 643 414b8e-414b96 call 401d8c 629->643 642->643 643->523 694->695 701 414474-4145a8 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 695->701 702 41446f-414471 695->702 737 4145ad-414ac7 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 701->737 702->701 948 414ac9-414ad0 737->948 949 414adb-414ae2 737->949 948->949 950 414ad2-414ad4 948->950 951 414ae4-414ae9 call 40a767 949->951 952 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 949->952 950->949 951->952 963 414b22-414b2e CreateThread 952->963 964 414b34-414b4f call 401eea * 2 call 401e13 952->964 963->964 964->629
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                                                • String ID: \o$ | $ o$%I64u$0?o$5.3.0 Pro$@o$C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-QYW18E$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G
                                                                                                • API String ID: 524882891-2580597722
                                                                                                • Opcode ID: 16009eec5d93eb5c4c8fc0ccd9a52367a7e5202d364dccb8fa20775c33396855
                                                                                                • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                • Opcode Fuzzy Hash: 16009eec5d93eb5c4c8fc0ccd9a52367a7e5202d364dccb8fa20775c33396855
                                                                                                • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 971 411c81-411cca GetModuleFileNameW call 401faa * 3 978 411ccc-411d56 call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea 971->978 1003 411d58-411de8 call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 978->1003 1026 411df8 1003->1026 1027 411dea-411df2 Sleep 1003->1027 1028 411dfa-411e8a call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1026->1028 1027->1003 1027->1026 1051 411e9a 1028->1051 1052 411e8c-411e94 Sleep 1028->1052 1053 411e9c-411f2c call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1051->1053 1052->1028 1052->1051 1076 411f3c-411f60 1053->1076 1077 411f2e-411f36 Sleep 1053->1077 1078 411f64-411f80 call 401e07 call 41b61a 1076->1078 1077->1053 1077->1076 1083 411f82-411f91 call 401e07 DeleteFileW 1078->1083 1084 411f97-411fb3 call 401e07 call 41b61a 1078->1084 1083->1084 1091 411fd0 1084->1091 1092 411fb5-411fce call 401e07 DeleteFileW 1084->1092 1094 411fd4-411ff0 call 401e07 call 41b61a 1091->1094 1092->1094 1100 411ff2-412004 call 401e07 DeleteFileW 1094->1100 1101 41200a-41200c 1094->1101 1100->1101 1103 412019-412024 Sleep 1101->1103 1104 41200e-412010 1101->1104 1103->1078 1107 41202a-41203c call 408339 1103->1107 1104->1103 1106 412012-412017 1104->1106 1106->1103 1106->1107 1110 412092-4120b1 call 401e13 * 3 1107->1110 1111 41203e-41204c call 408339 1107->1111 1122 4120b6-41211f call 40b027 call 401e07 call 401fbd call 4123f7 call 401e13 call 405422 1110->1122 1111->1110 1117 41204e-41205c call 408339 1111->1117 1117->1110 1123 41205e-41208a Sleep call 401e13 * 3 1117->1123 1143 412125-41226f call 41aec8 call 41ad46 call 4027ec call 4027cb * 6 call 40275c call 4027cb call 40275c call 404468 call 401eea * 10 1122->1143 1144 412274-41236b call 41aec8 call 4027ec call 4027cb * 6 call 40275c call 404468 call 401eea * 7 1122->1144 1123->978 1137 412090 1123->1137 1137->1122 1214 41236f-4123cf call 401eea call 401e13 call 401eea * 7 1143->1214 1144->1214 1243 4123d4-4123f6 call 401eea * 2 1214->1243
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                • API String ID: 1223786279-3931108886
                                                                                                • Opcode ID: 75a1c88232e94dd8f7e475bd391443dd321e9ecfe34a2257c0ca13422a014761
                                                                                                • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                • Opcode Fuzzy Hash: 75a1c88232e94dd8f7e475bd391443dd321e9ecfe34a2257c0ca13422a014761
                                                                                                • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                  • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                  • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                  • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                  • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                • String ID: )$Foxmail$ProgramFiles
                                                                                                • API String ID: 672098462-2938083778
                                                                                                • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1286 40428c-4042ad connect 1287 4043e1-4043e5 1286->1287 1288 4042b3-4042b6 1286->1288 1291 4043e7-4043f5 WSAGetLastError 1287->1291 1292 40445f 1287->1292 1289 4043da-4043dc 1288->1289 1290 4042bc-4042bf 1288->1290 1293 404461-404465 1289->1293 1294 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1290->1294 1295 4042eb-4042f5 call 420151 1290->1295 1291->1292 1296 4043f7-4043fa 1291->1296 1292->1293 1294->1295 1306 404306-404313 call 420373 1295->1306 1307 4042f7-404301 1295->1307 1299 404439-40443e 1296->1299 1300 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1296->1300 1302 404443-40445c call 401f66 * 2 call 41a686 1299->1302 1300->1292 1302->1292 1320 404315-404338 call 401f66 * 2 call 41a686 1306->1320 1321 40434c-404357 call 420f34 1306->1321 1307->1302 1347 40433b-404347 call 420191 1320->1347 1332 404389-404396 call 4202ea 1321->1332 1333 404359-404387 call 401f66 * 2 call 41a686 call 420592 1321->1333 1343 404398-4043bb call 401f66 * 2 call 41a686 1332->1343 1344 4043be-4043d7 CreateEventW * 2 1332->1344 1333->1347 1343->1344 1344->1289 1347->1292
                                                                                                APIs
                                                                                                • connect.WS2_32(?,00707240,00000010), ref: 004042A5
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                • API String ID: 994465650-2151626615
                                                                                                • Opcode ID: 2d798a5fa1db7d59694009db928515f61fa98dc21aae2058d3a2b15e05fc5637
                                                                                                • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                • Opcode Fuzzy Hash: 2d798a5fa1db7d59694009db928515f61fa98dc21aae2058d3a2b15e05fc5637
                                                                                                • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                • String ID:
                                                                                                • API String ID: 3658366068-0
                                                                                                • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1378 40c89e-40c8c3 call 401e52 1381 40c8c9 1378->1381 1382 40c9ed-40ca85 call 401e07 GetLongPathNameW call 403b40 * 2 call 40cc37 call 402860 * 2 call 401e13 * 5 1378->1382 1383 40c8d0-40c8d5 1381->1383 1384 40c9c2-40c9c7 1381->1384 1385 40c905-40c90a 1381->1385 1386 40c9d8 1381->1386 1387 40c9c9-40c9ce call 43ac0f 1381->1387 1388 40c8da-40c8e8 call 41a74b call 401e18 1381->1388 1389 40c8fb-40c900 1381->1389 1390 40c9bb-40c9c0 1381->1390 1391 40c90f-40c916 call 41b15b 1381->1391 1393 40c9dd-40c9e2 call 43ac0f 1383->1393 1384->1393 1385->1393 1386->1393 1398 40c9d3-40c9d6 1387->1398 1409 40c8ed 1388->1409 1389->1393 1390->1393 1407 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1391->1407 1408 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1391->1408 1403 40c9e3-40c9e8 call 4082d7 1393->1403 1398->1386 1398->1403 1403->1382 1415 40c8f1-40c8f6 call 401e13 1407->1415 1408->1409 1409->1415 1415->1382
                                                                                                APIs
                                                                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LongNamePath
                                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                • API String ID: 82841172-425784914
                                                                                                • Opcode ID: 3954268d7dffdf0489eff235fb9ef20efbe8d8525197cc8e6b2bb3884c319527
                                                                                                • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                • Opcode Fuzzy Hash: 3954268d7dffdf0489eff235fb9ef20efbe8d8525197cc8e6b2bb3884c319527
                                                                                                • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                  • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                • String ID: (32 bit)$ (64 bit)$@o$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                • API String ID: 782494840-454285361
                                                                                                • Opcode ID: 19248c9732af6e9ef00e2f0e516aa112708340eb9e7ab1e58b257d5fb57f3ab9
                                                                                                • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                • Opcode Fuzzy Hash: 19248c9732af6e9ef00e2f0e516aa112708340eb9e7ab1e58b257d5fb57f3ab9
                                                                                                • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1547 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1552 41a55c-41a57d InternetReadFile 1547->1552 1553 41a5a3-41a5a6 1552->1553 1554 41a57f-41a59f call 401f86 call 402f08 call 401eea 1552->1554 1556 41a5a8-41a5aa 1553->1556 1557 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1553->1557 1554->1553 1556->1552 1556->1557 1561 41a5be-41a5c8 1557->1561
                                                                                                APIs
                                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                Strings
                                                                                                • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                                • API String ID: 3121278467-91888290
                                                                                                • Opcode ID: 73696255e9202b198c78c3ab478e8b01571d3d764b4ec7d5d8b5efc8061108e0
                                                                                                • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                • Opcode Fuzzy Hash: 73696255e9202b198c78c3ab478e8b01571d3d764b4ec7d5d8b5efc8061108e0
                                                                                                • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1565 1000c7e6-1000c7ed GetModuleHandleA 1566 1000c82d 1565->1566 1567 1000c7ef-1000c7fe call 1000c803 1565->1567 1568 1000c82f-1000c833 1566->1568 1577 1000c800-1000c80b GetProcAddress 1567->1577 1578 1000c865 1567->1578 1570 1000c872 call 1000c877 1568->1570 1571 1000c835-1000c83d GetModuleHandleA 1568->1571 1574 1000c83f-1000c847 1571->1574 1574->1574 1576 1000c849-1000c84c 1574->1576 1576->1568 1579 1000c84e-1000c850 1576->1579 1577->1566 1581 1000c80d-1000c81a VirtualProtect 1577->1581 1580 1000c866-1000c86e 1578->1580 1582 1000c852-1000c854 1579->1582 1583 1000c856-1000c85e 1579->1583 1589 1000c870 1580->1589 1585 1000c82c 1581->1585 1586 1000c81c-1000c82a VirtualProtect 1581->1586 1587 1000c85f-1000c860 GetProcAddress 1582->1587 1583->1587 1585->1566 1586->1585 1587->1578 1589->1576
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                  • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 2099061454-0
                                                                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1590 4126d2-4126e9 RegCreateKeyA 1591 412722 1590->1591 1592 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1590->1592 1594 412724-412730 call 401eea 1591->1594 1592->1594
                                                                                                APIs
                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: HgF$pth_unenc
                                                                                                • API String ID: 1818849710-3662775637
                                                                                                • Opcode ID: a8a1558e301af92e4391434ed0694e92c04ce86e799f8faadff9b348f5dda564
                                                                                                • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                • Opcode Fuzzy Hash: a8a1558e301af92e4391434ed0694e92c04ce86e799f8faadff9b348f5dda564
                                                                                                • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                  • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                  • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 2099061454-0
                                                                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                APIs
                                                                                                • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                • String ID:
                                                                                                • API String ID: 2152742572-0
                                                                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                APIs
                                                                                                • send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                • WaitForSingleObject.KERNEL32(00000304,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                • SetEvent.KERNEL32(00000304,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventObjectSingleWaitsend
                                                                                                • String ID: LAL
                                                                                                • API String ID: 3963590051-3302426157
                                                                                                • Opcode ID: 797cf9f69927d8c8d5f5ebf388408a12a36e02342b08a7f5b9e29609ca137d04
                                                                                                • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                • Opcode Fuzzy Hash: 797cf9f69927d8c8d5f5ebf388408a12a36e02342b08a7f5b9e29609ca137d04
                                                                                                • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                APIs
                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: TUF
                                                                                                • API String ID: 1818849710-3431404234
                                                                                                • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                APIs
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                • String ID:
                                                                                                • API String ID: 3360349984-0
                                                                                                • Opcode ID: f49accacbea047204dfc159e8d9f5a52a3152a38306e4b52ab6f1ec190d343e3
                                                                                                • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                • Opcode Fuzzy Hash: f49accacbea047204dfc159e8d9f5a52a3152a38306e4b52ab6f1ec190d343e3
                                                                                                • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                                • String ID:
                                                                                                • API String ID: 3919263394-0
                                                                                                • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CountEventTick
                                                                                                • String ID: >G
                                                                                                • API String ID: 180926312-1296849874
                                                                                                • Opcode ID: 0fdd73690b21bd5037df58274c4b8d68cd6c5f80306a69dde6aa016a4431bff7
                                                                                                • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                • Opcode Fuzzy Hash: 0fdd73690b21bd5037df58274c4b8d68cd6c5f80306a69dde6aa016a4431bff7
                                                                                                • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                APIs
                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateErrorLastMutex
                                                                                                • String ID: Rmc-QYW18E
                                                                                                • API String ID: 1925916568-2478989380
                                                                                                • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                                                                • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                                                                • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                                • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                                • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _wcslen
                                                                                                • String ID: xAG
                                                                                                • API String ID: 176396367-2759412365
                                                                                                • Opcode ID: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                                • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                • Opcode Fuzzy Hash: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                                • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                APIs
                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: GlobalMemoryStatus
                                                                                                • String ID: @
                                                                                                • API String ID: 1890195054-2766056989
                                                                                                • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 0044B9DF
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                • RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,00431FD7,00000000,0000000F,0042EA3D,?,?,00430AA6,?,00000000), ref: 0044BA1B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap$_free
                                                                                                • String ID:
                                                                                                • API String ID: 1482568997-0
                                                                                                • Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                                                                                • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                • Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                                                                                • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                APIs
                                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                  • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateEventStartupsocket
                                                                                                • String ID:
                                                                                                • API String ID: 1953588214-0
                                                                                                • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                APIs
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                  • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,?,>C,00000000,00000000,?,?,?,?,?,?,00433E09,?,0046D5EC), ref: 00437C37
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3476068407-0
                                                                                                • Opcode ID: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                                • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                • Opcode Fuzzy Hash: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                                • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$ForegroundText
                                                                                                • String ID:
                                                                                                • API String ID: 29597999-0
                                                                                                • Opcode ID: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                                                                                • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                • Opcode Fuzzy Hash: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                                                                                • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                APIs
                                                                                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                  • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                  • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                  • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                  • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                  • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                • String ID:
                                                                                                • API String ID: 1170566393-0
                                                                                                • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                APIs
                                                                                                • VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 544645111-0
                                                                                                • Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                • Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
                                                                                                • Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                • Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                APIs
                                                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Startup
                                                                                                • String ID:
                                                                                                • API String ID: 724789610-0
                                                                                                • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: send
                                                                                                • String ID:
                                                                                                • API String ID: 2809346765-0
                                                                                                • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Deallocate
                                                                                                • String ID:
                                                                                                • API String ID: 1075933841-0
                                                                                                • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                                • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                                APIs
                                                                                                • VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 4275171209-0
                                                                                                • Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                • Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
                                                                                                • Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                • Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?), ref: 00406F28
                                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                  • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?, \o,004742F8), ref: 0041B489
                                                                                                  • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?, \o,004742F8), ref: 0041B4BB
                                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?, \o,004742F8), ref: 0041B50C
                                                                                                  • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?, \o,004742F8), ref: 0041B561
                                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?, \o,004742F8), ref: 0041B568
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                  • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                  • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                  • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                  • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000304,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(00000304,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                  • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                  • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                  • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                  • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                • API String ID: 2918587301-184849705
                                                                                                • Opcode ID: b6352f32ef1c6650123860efc79840071001931d6f835e35b4095029c02020fa
                                                                                                • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                • Opcode Fuzzy Hash: b6352f32ef1c6650123860efc79840071001931d6f835e35b4095029c02020fa
                                                                                                • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                • Sleep.KERNEL32(0000012C,00000093), ref: 0040523F
                                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                • API String ID: 3815868655-81343324
                                                                                                • Opcode ID: 34787d4621f10774a2f8a031e0b5b236cc3ffdbb4b026db84c9cc34a03f3ebd1
                                                                                                • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                • Opcode Fuzzy Hash: 34787d4621f10774a2f8a031e0b5b236cc3ffdbb4b026db84c9cc34a03f3ebd1
                                                                                                • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                  • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                  • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                • String ID: \o$0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                • API String ID: 65172268-1195297566
                                                                                                • Opcode ID: 15c2cf8ba4fa16ac10da4dbf6ebc2712cfd682e19f578d395d2ad12c39b5f787
                                                                                                • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                • Opcode Fuzzy Hash: 15c2cf8ba4fa16ac10da4dbf6ebc2712cfd682e19f578d395d2ad12c39b5f787
                                                                                                • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                • API String ID: 1164774033-3681987949
                                                                                                • Opcode ID: 71db8a861b2fc74db715b2c88002bf75331a4205c2d0913388115495fb865951
                                                                                                • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                • Opcode Fuzzy Hash: 71db8a861b2fc74db715b2c88002bf75331a4205c2d0913388115495fb865951
                                                                                                • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$Close$File$FirstNext
                                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                • API String ID: 3527384056-432212279
                                                                                                • Opcode ID: 23d032247b80a360ab297e3edfec7162f8d5d06b5b50b9e2e722fe899f59b899
                                                                                                • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                • Opcode Fuzzy Hash: 23d032247b80a360ab297e3edfec7162f8d5d06b5b50b9e2e722fe899f59b899
                                                                                                • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                  • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                • String ID: \o$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                • API String ID: 726551946-2125947963
                                                                                                • Opcode ID: 4e8d13688393c71aa9a791a17ea9833f86c50a3416487754e50a8c125bc327b9
                                                                                                • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                • Opcode Fuzzy Hash: 4e8d13688393c71aa9a791a17ea9833f86c50a3416487754e50a8c125bc327b9
                                                                                                • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                APIs
                                                                                                • OpenClipboard.USER32 ref: 004159C7
                                                                                                • EmptyClipboard.USER32 ref: 004159D5
                                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                • CloseClipboard.USER32 ref: 00415A5A
                                                                                                • OpenClipboard.USER32 ref: 00415A61
                                                                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                • CloseClipboard.USER32 ref: 00415A89
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                • String ID:
                                                                                                • API String ID: 3520204547-0
                                                                                                • Opcode ID: 2c309660716b8f120810bbffa618e01841a54adcf4c99f1f9e305804b90453d6
                                                                                                • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                • Opcode Fuzzy Hash: 2c309660716b8f120810bbffa618e01841a54adcf4c99f1f9e305804b90453d6
                                                                                                • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?, \o,004742F8), ref: 0041B489
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?, \o,004742F8), ref: 0041B4BB
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?, \o,004742F8), ref: 0041B529
                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?, \o,004742F8), ref: 0041B536
                                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?, \o,004742F8), ref: 0041B50C
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?, \o,004742F8), ref: 0041B561
                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?, \o,004742F8), ref: 0041B568
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?, \o,004742F8), ref: 0041B570
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?, \o,004742F8), ref: 0041B583
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                • String ID: \o
                                                                                                • API String ID: 2341273852-202371427
                                                                                                • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0$1$2$3$4$5$6$7
                                                                                                • API String ID: 0-3177665633
                                                                                                • Opcode ID: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                                • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                • Opcode Fuzzy Hash: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                                • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                • String ID: 8[G
                                                                                                • API String ID: 1888522110-1691237782
                                                                                                • Opcode ID: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                                                                                • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                • Opcode Fuzzy Hash: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                                                                                • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 00406788
                                                                                                • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Object_wcslen
                                                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                • API String ID: 240030777-3166923314
                                                                                                • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                APIs
                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                • GetLastError.KERNEL32 ref: 00419935
                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                • String ID:
                                                                                                • API String ID: 3587775597-0
                                                                                                • Opcode ID: cbb4319f4ea4d4597f1e30bd7914a7df107bdaf14578ca57a6b92482c719bea5
                                                                                                • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                • Opcode Fuzzy Hash: cbb4319f4ea4d4597f1e30bd7914a7df107bdaf14578ca57a6b92482c719bea5
                                                                                                • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                • String ID: <D$<D$<D
                                                                                                • API String ID: 745075371-3495170934
                                                                                                • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Find$CreateFirstNext
                                                                                                • String ID: 0?o$XCG$`HG$`HG$>G
                                                                                                • API String ID: 341183262-4199425213
                                                                                                • Opcode ID: 5a1cbe8e823c608055a9f57f3047cd9d6b4f505aac0e151d25a19e10aa9e8437
                                                                                                • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                • Opcode Fuzzy Hash: 5a1cbe8e823c608055a9f57f3047cd9d6b4f505aac0e151d25a19e10aa9e8437
                                                                                                • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                Strings
                                                                                                • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                • String ID: Keylogger initialization failure: error
                                                                                                • API String ID: 3219506041-952744263
                                                                                                • Opcode ID: 394d2ed10b758bec866be95a73fe021b1c2c0c7c33502808925f3de31827cbba
                                                                                                • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                • Opcode Fuzzy Hash: 394d2ed10b758bec866be95a73fe021b1c2c0c7c33502808925f3de31827cbba
                                                                                                • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                APIs
                                                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041301A
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00413026
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                • API String ID: 2127411465-314212984
                                                                                                • Opcode ID: 34909d98bf4c72dfa7c0f54ac2602ff0b7032a7f9f50e1e232f30fd991181047
                                                                                                • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                • Opcode Fuzzy Hash: 34909d98bf4c72dfa7c0f54ac2602ff0b7032a7f9f50e1e232f30fd991181047
                                                                                                • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                APIs
                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                • GetLastError.KERNEL32 ref: 0040B261
                                                                                                Strings
                                                                                                • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                • UserProfile, xrefs: 0040B227
                                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteErrorFileLast
                                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                • API String ID: 2018770650-1062637481
                                                                                                • Opcode ID: a7b2a17663120d4824e58c4836fec71886d2deb9142c979bd5b37fc2e6fd903f
                                                                                                • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                • Opcode Fuzzy Hash: a7b2a17663120d4824e58c4836fec71886d2deb9142c979bd5b37fc2e6fd903f
                                                                                                • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                • GetLastError.KERNEL32 ref: 00416B02
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                • String ID: SeShutdownPrivilege
                                                                                                • API String ID: 3534403312-3733053543
                                                                                                • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __floor_pentium4
                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                • API String ID: 4168288129-2761157908
                                                                                                • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                                                                • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                  • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                  • Part of subcall function 0040428C: connect.WS2_32(?,00707240,00000010), ref: 004042A5
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000304,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(00000304,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                  • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                  • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                  • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                • String ID:
                                                                                                • API String ID: 4043647387-0
                                                                                                • Opcode ID: 023dc0bb17e3d4688fbad928f669f6b6b4ce6930fe0b3bcb6a9d897457014150
                                                                                                • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                • Opcode Fuzzy Hash: 023dc0bb17e3d4688fbad928f669f6b6b4ce6930fe0b3bcb6a9d897457014150
                                                                                                • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                • String ID:
                                                                                                • API String ID: 276877138-0
                                                                                                • Opcode ID: 50d0eb20569f235c126f5a3ccb9fed10f2149612a0ffcc28dffb27fdb097a1eb
                                                                                                • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                • Opcode Fuzzy Hash: 50d0eb20569f235c126f5a3ccb9fed10f2149612a0ffcc28dffb27fdb097a1eb
                                                                                                • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                APIs
                                                                                                  • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                  • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                  • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                  • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                  • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                • String ID: PowrProf.dll$SetSuspendState
                                                                                                • API String ID: 1589313981-1420736420
                                                                                                • Opcode ID: a9bdb05b4d57e85a2d4faed2f5f4237c9f13a829c7de5adf5ffc40db30ecdedd
                                                                                                • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                • Opcode Fuzzy Hash: a9bdb05b4d57e85a2d4faed2f5f4237c9f13a829c7de5adf5ffc40db30ecdedd
                                                                                                • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                APIs
                                                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID: ACP$OCP
                                                                                                • API String ID: 2299586839-711371036
                                                                                                • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                APIs
                                                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                • String ID: SETTINGS
                                                                                                • API String ID: 3473537107-594951305
                                                                                                • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                                • String ID:
                                                                                                • API String ID: 1157919129-0
                                                                                                • Opcode ID: 935e28bceb1b2dd29a33bdabc5781610e478b7f4932fb351d10d11ef5e821378
                                                                                                • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                • Opcode Fuzzy Hash: 935e28bceb1b2dd29a33bdabc5781610e478b7f4932fb351d10d11ef5e821378
                                                                                                • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                APIs
                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                • _free.LIBCMT ref: 00448067
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 00448233
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                • String ID:
                                                                                                • API String ID: 1286116820-0
                                                                                                • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                Strings
                                                                                                • C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                                                                • open, xrefs: 0040622E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DownloadExecuteFileShell
                                                                                                • String ID: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$open
                                                                                                • API String ID: 2825088817-632982280
                                                                                                • Opcode ID: 097751347954455152b3f34d315961b7c1834e5e6913efe5332c78cc7149d1cd
                                                                                                • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                • Opcode Fuzzy Hash: 097751347954455152b3f34d315961b7c1834e5e6913efe5332c78cc7149d1cd
                                                                                                • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$FirstNextsend
                                                                                                • String ID: x@G$x@G
                                                                                                • API String ID: 4113138495-3390264752
                                                                                                • Opcode ID: 784674e8d6818078d961cd005be54c7bd986f13eb30e329a6d734e3aeb6873f3
                                                                                                • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                • Opcode Fuzzy Hash: 784674e8d6818078d961cd005be54c7bd986f13eb30e329a6d734e3aeb6873f3
                                                                                                • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                APIs
                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                  • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                  • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                • API String ID: 4127273184-3576401099
                                                                                                • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                                                                • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                                                                • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 4212172061-0
                                                                                                • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$FirstH_prologNext
                                                                                                • String ID:
                                                                                                • API String ID: 301083792-0
                                                                                                • Opcode ID: 0afeef2273bb365940aeeebd1ace48b2c35f122f2a18ff3fa38bca27594c9e3e
                                                                                                • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                • Opcode Fuzzy Hash: 0afeef2273bb365940aeeebd1ace48b2c35f122f2a18ff3fa38bca27594c9e3e
                                                                                                • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 2829624132-0
                                                                                                • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A755
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A75F
                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A76C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                                                                • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                                                                • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                APIs
                                                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseHandleOpenSuspend
                                                                                                • String ID:
                                                                                                • API String ID: 1999457699-0
                                                                                                • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                                                                • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                                                                APIs
                                                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                                                                • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseHandleOpenResume
                                                                                                • String ID:
                                                                                                • API String ID: 3614150671-0
                                                                                                • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                                                                • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: .
                                                                                                • API String ID: 0-248832578
                                                                                                • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: .
                                                                                                • API String ID: 0-248832578
                                                                                                • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                                • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID: <D
                                                                                                • API String ID: 1084509184-3866323178
                                                                                                • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID: <D
                                                                                                • API String ID: 1084509184-3866323178
                                                                                                • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                APIs
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID: GetLocaleInfoEx
                                                                                                • API String ID: 2299586839-2904428671
                                                                                                • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                                                                • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                                                                APIs
                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3997070919-0
                                                                                                • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                                                                • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                                                                APIs
                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3997070919-0
                                                                                                • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                                • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0
                                                                                                • API String ID: 0-4108050209
                                                                                                • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                                                                • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                • String ID:
                                                                                                • API String ID: 1663032902-0
                                                                                                • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 2692324296-0
                                                                                                • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                APIs
                                                                                                  • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                • String ID:
                                                                                                • API String ID: 1272433827-0
                                                                                                • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                APIs
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                • String ID:
                                                                                                • API String ID: 3192549508-0
                                                                                                • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                • Instruction Fuzzy Hash:
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0
                                                                                                • API String ID: 0-4108050209
                                                                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @
                                                                                                • API String ID: 0-2766056989
                                                                                                • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                                                                • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: >G
                                                                                                • API String ID: 0-1296849874
                                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                                • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                                                                • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                                • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                                                                • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                                • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                                                                • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                                                                • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                                • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                                                                • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                                • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                                                                • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                                                                • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                                                                • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                                                                • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                                                                • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                                                                APIs
                                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                  • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                • GetCursorInfo.USER32(?), ref: 004180B5
                                                                                                • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                • DeleteObject.GDI32(?), ref: 00418107
                                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                • DeleteDC.GDI32(?), ref: 00418398
                                                                                                • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                                • String ID: DISPLAY
                                                                                                • API String ID: 1352755160-865373369
                                                                                                • Opcode ID: 14ef04a11382e39a5d7ce1ed17fc5207626fd631db5641e6acf2cfebc1a14c6e
                                                                                                • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                • Opcode Fuzzy Hash: 14ef04a11382e39a5d7ce1ed17fc5207626fd631db5641e6acf2cfebc1a14c6e
                                                                                                • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                APIs
                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                  • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                  • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                                  • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                                  • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                • String ID: .exe$0?o$0DG$T@$WDH$exepath$open$temp_
                                                                                                • API String ID: 4250697656-634629910
                                                                                                • Opcode ID: 197af66009191922f4e5756cbe13be0694456b58e8e0c6d34c19e14a4caca06f
                                                                                                • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                • Opcode Fuzzy Hash: 197af66009191922f4e5756cbe13be0694456b58e8e0c6d34c19e14a4caca06f
                                                                                                • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                APIs
                                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26, \o,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                • String ID: """, 0$")$0?o$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                • API String ID: 1861856835-2356322746
                                                                                                • Opcode ID: a0f600f49bf3dc62deacadc195efdc112691502130aed94f63629ad2c38e38da
                                                                                                • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                • Opcode Fuzzy Hash: a0f600f49bf3dc62deacadc195efdc112691502130aed94f63629ad2c38e38da
                                                                                                • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                APIs
                                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26, \o,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                • String ID: \o$")$.vbs$0?o$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                • API String ID: 3797177996-710222024
                                                                                                • Opcode ID: 6fdb169e588ba5efd4694f387023577ef4881c3b43681ad391313d197d6ba7e6
                                                                                                • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                • Opcode Fuzzy Hash: 6fdb169e588ba5efd4694f387023577ef4881c3b43681ad391313d197d6ba7e6
                                                                                                • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                APIs
                                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                • API String ID: 738084811-2745919808
                                                                                                • Opcode ID: fa86cf05341072421914e5d1e1dcf176187f6b351948c508f9266be5b7dc4a46
                                                                                                • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                • Opcode Fuzzy Hash: fa86cf05341072421914e5d1e1dcf176187f6b351948c508f9266be5b7dc4a46
                                                                                                • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Write$Create
                                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                                • API String ID: 1602526932-4212202414
                                                                                                • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000003,004068DA, \o,00406933), ref: 004064F4
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProc
                                                                                                • String ID: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                • API String ID: 1646373207-3565256061
                                                                                                • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                APIs
                                                                                                  • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                  • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                  • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                • _strlen.LIBCMT ref: 10001855
                                                                                                • _strlen.LIBCMT ref: 10001869
                                                                                                • _strlen.LIBCMT ref: 1000188B
                                                                                                • _strlen.LIBCMT ref: 100018AE
                                                                                                • _strlen.LIBCMT ref: 100018C8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strlen$File$CopyCreateDelete
                                                                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                • API String ID: 3296212668-3023110444
                                                                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 0040BC75
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                • _wcslen.LIBCMT ref: 0040BD54
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                • _wcslen.LIBCMT ref: 0040BE34
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                • String ID: \o$6$C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$del$open
                                                                                                • API String ID: 1579085052-3890197601
                                                                                                • Opcode ID: cf2def00a9f54cbbdb09bd5ce01bb5f776fc8ce9134b0bd7acedba2fd5570a88
                                                                                                • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                • Opcode Fuzzy Hash: cf2def00a9f54cbbdb09bd5ce01bb5f776fc8ce9134b0bd7acedba2fd5570a88
                                                                                                • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                • GetLastError.KERNEL32 ref: 0041B313
                                                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                • GetLastError.KERNEL32 ref: 0041B370
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                • String ID: ?
                                                                                                • API String ID: 3941738427-1684325040
                                                                                                • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strlen
                                                                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                • API String ID: 4218353326-230879103
                                                                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                • String ID:
                                                                                                • API String ID: 3899193279-0
                                                                                                • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                                • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                                • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                APIs
                                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                • String ID: Close
                                                                                                • API String ID: 1657328048-3535843008
                                                                                                • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$Info
                                                                                                • String ID:
                                                                                                • API String ID: 2509303402-0
                                                                                                • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                • API String ID: 1884690901-3066803209
                                                                                                • Opcode ID: 04dd7f9366dcb91c3dbb1a54be5b737fb15d6113bcf4a575a3a2a8f2f94803e4
                                                                                                • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                • Opcode Fuzzy Hash: 04dd7f9366dcb91c3dbb1a54be5b737fb15d6113bcf4a575a3a2a8f2f94803e4
                                                                                                • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                APIs
                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                • String ID: \ws2_32$\wship6$getaddrinfo
                                                                                                • API String ID: 2490988753-3078833738
                                                                                                • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                APIs
                                                                                                • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                • _free.LIBCMT ref: 004500A6
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 004500C8
                                                                                                • _free.LIBCMT ref: 004500DD
                                                                                                • _free.LIBCMT ref: 004500E8
                                                                                                • _free.LIBCMT ref: 0045010A
                                                                                                • _free.LIBCMT ref: 0045011D
                                                                                                • _free.LIBCMT ref: 0045012B
                                                                                                • _free.LIBCMT ref: 00450136
                                                                                                • _free.LIBCMT ref: 0045016E
                                                                                                • _free.LIBCMT ref: 00450175
                                                                                                • _free.LIBCMT ref: 00450192
                                                                                                • _free.LIBCMT ref: 004501AA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                • String ID:
                                                                                                • API String ID: 161543041-0
                                                                                                • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                APIs
                                                                                                • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                • _free.LIBCMT ref: 10007CFB
                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                • _free.LIBCMT ref: 10007D1D
                                                                                                • _free.LIBCMT ref: 10007D32
                                                                                                • _free.LIBCMT ref: 10007D3D
                                                                                                • _free.LIBCMT ref: 10007D5F
                                                                                                • _free.LIBCMT ref: 10007D72
                                                                                                • _free.LIBCMT ref: 10007D80
                                                                                                • _free.LIBCMT ref: 10007D8B
                                                                                                • _free.LIBCMT ref: 10007DC3
                                                                                                • _free.LIBCMT ref: 10007DCA
                                                                                                • _free.LIBCMT ref: 10007DE7
                                                                                                • _free.LIBCMT ref: 10007DFF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                • String ID:
                                                                                                • API String ID: 161543041-0
                                                                                                • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                • API String ID: 489098229-65789007
                                                                                                • Opcode ID: a9c30b7ca3c23df960a62182adde5b6ece1c29b97acb22a7f74f9b7218aaac53
                                                                                                • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                • Opcode Fuzzy Hash: a9c30b7ca3c23df960a62182adde5b6ece1c29b97acb22a7f74f9b7218aaac53
                                                                                                • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                  • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                  • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                  • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                  • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                • String ID: 0?o$XCG$XCG$xAG$xAG
                                                                                                • API String ID: 3795512280-1312551025
                                                                                                • Opcode ID: db82f7fcbaed7571b09b5feda44f755d485f2160fd2ce4a4b86ee15c5daf0a77
                                                                                                • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                • Opcode Fuzzy Hash: db82f7fcbaed7571b09b5feda44f755d485f2160fd2ce4a4b86ee15c5daf0a77
                                                                                                • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                APIs
                                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                • String ID: """, 0$.vbs$0?o$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                • API String ID: 1913171305-4045034810
                                                                                                • Opcode ID: 2f523ed702ad3be297431ddc75cd15a8c1b0ab6ea1744de7960813c0f983d418
                                                                                                • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                • Opcode Fuzzy Hash: 2f523ed702ad3be297431ddc75cd15a8c1b0ab6ea1744de7960813c0f983d418
                                                                                                • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                APIs
                                                                                                  • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                • GetLastError.KERNEL32 ref: 00454A96
                                                                                                • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                • GetLastError.KERNEL32 ref: 00454C58
                                                                                                • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                • String ID: H
                                                                                                • API String ID: 4237864984-2852464175
                                                                                                • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                                                • API String ID: 911427763-3954389425
                                                                                                • Opcode ID: 1250248c4d62d117fc355c5487db7b218e06681236761ca8f2fc6291dfaaf1f0
                                                                                                • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                • Opcode Fuzzy Hash: 1250248c4d62d117fc355c5487db7b218e06681236761ca8f2fc6291dfaaf1f0
                                                                                                • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 65535$udp
                                                                                                • API String ID: 0-1267037602
                                                                                                • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                • String ID: <$@$@FG$@FG$TUF$Temp
                                                                                                • API String ID: 1107811701-4124992407
                                                                                                • Opcode ID: 5f2e0ce368fa88a4ca348f9bf9bce08a5d1f29e72c0c6804c22944a99ab02f9d
                                                                                                • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                • Opcode Fuzzy Hash: 5f2e0ce368fa88a4ca348f9bf9bce08a5d1f29e72c0c6804c22944a99ab02f9d
                                                                                                • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                • _free.LIBCMT ref: 0043946A
                                                                                                • _free.LIBCMT ref: 00439471
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                • String ID:
                                                                                                • API String ID: 2441525078-0
                                                                                                • Opcode ID: af2e038675629699a3bdf98db1be6e4acccc81897dfbfa3a6a3584a15f099ab5
                                                                                                • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                • Opcode Fuzzy Hash: af2e038675629699a3bdf98db1be6e4acccc81897dfbfa3a6a3584a15f099ab5
                                                                                                • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?), ref: 00404E71
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00404FF3
                                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                • API String ID: 2956720200-749203953
                                                                                                • Opcode ID: 1a0997e78762e5c57aded1d896a4a797779e01f29d58de24e459865df5d3f63a
                                                                                                • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                • Opcode Fuzzy Hash: 1a0997e78762e5c57aded1d896a4a797779e01f29d58de24e459865df5d3f63a
                                                                                                • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,?,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe), ref: 00406705
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CurrentProcess
                                                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir
                                                                                                • API String ID: 2050909247-943210432
                                                                                                • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: 8f568d79055422364b0fc155fd47d6165a7356d41c75c5dcd4a60a29222dfb7a
                                                                                                • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                • Opcode Fuzzy Hash: 8f568d79055422364b0fc155fd47d6165a7356d41c75c5dcd4a60a29222dfb7a
                                                                                                • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00446DDF
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 00446DEB
                                                                                                • _free.LIBCMT ref: 00446DF6
                                                                                                • _free.LIBCMT ref: 00446E01
                                                                                                • _free.LIBCMT ref: 00446E0C
                                                                                                • _free.LIBCMT ref: 00446E17
                                                                                                • _free.LIBCMT ref: 00446E22
                                                                                                • _free.LIBCMT ref: 00446E2D
                                                                                                • _free.LIBCMT ref: 00446E38
                                                                                                • _free.LIBCMT ref: 00446E46
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 100059EA
                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                • _free.LIBCMT ref: 100059F6
                                                                                                • _free.LIBCMT ref: 10005A01
                                                                                                • _free.LIBCMT ref: 10005A0C
                                                                                                • _free.LIBCMT ref: 10005A17
                                                                                                • _free.LIBCMT ref: 10005A22
                                                                                                • _free.LIBCMT ref: 10005A2D
                                                                                                • _free.LIBCMT ref: 10005A38
                                                                                                • _free.LIBCMT ref: 10005A43
                                                                                                • _free.LIBCMT ref: 10005A51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                APIs
                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                Strings
                                                                                                • DisplayName, xrefs: 0041B8D1
                                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEnumOpen
                                                                                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                • API String ID: 1332880857-3614651759
                                                                                                • Opcode ID: be487d9418a7434aad95e9825c4fb99dbac0c7fe4d506b3d910b5bf4207956f9
                                                                                                • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                • Opcode Fuzzy Hash: be487d9418a7434aad95e9825c4fb99dbac0c7fe4d506b3d910b5bf4207956f9
                                                                                                • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Eventinet_ntoa
                                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                • API String ID: 3578746661-4192532303
                                                                                                • Opcode ID: 882d73abc1f1028df44036b25573df398973f0b795d7b16f2ddfccf44f6c6cb9
                                                                                                • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                • Opcode Fuzzy Hash: 882d73abc1f1028df44036b25573df398973f0b795d7b16f2ddfccf44f6c6cb9
                                                                                                • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                • API String ID: 1462127192-2001430897
                                                                                                • Opcode ID: d21e0b7444ef16f4815b063b5dd4add99d6b7eb9d38a6b663a45f1baa0c704e9
                                                                                                • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                • Opcode Fuzzy Hash: d21e0b7444ef16f4815b063b5dd4add99d6b7eb9d38a6b663a45f1baa0c704e9
                                                                                                • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                APIs
                                                                                                • _strftime.LIBCMT ref: 00401AD3
                                                                                                  • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                • API String ID: 3809562944-3643129801
                                                                                                • Opcode ID: b5da03968aa696b061eefe29f3213ebb6219f06a5946cc2e5b54c1b13d12e9c1
                                                                                                • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                • Opcode Fuzzy Hash: b5da03968aa696b061eefe29f3213ebb6219f06a5946cc2e5b54c1b13d12e9c1
                                                                                                • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                • waveInStart.WINMM ref: 00401A81
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                • String ID: XCG$`=G$x=G
                                                                                                • API String ID: 1356121797-903574159
                                                                                                • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                                                                • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                                                                • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                  • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                  • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                  • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                • String ID: Remcos
                                                                                                • API String ID: 1970332568-165870891
                                                                                                • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                                                                                • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                • Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                                                                                • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                APIs
                                                                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                • __freea.LIBCMT ref: 00452DAA
                                                                                                • __freea.LIBCMT ref: 00452DB6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                • String ID:
                                                                                                • API String ID: 201697637-0
                                                                                                • Opcode ID: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
                                                                                                • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                • Opcode Fuzzy Hash: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
                                                                                                • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                APIs
                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                • String ID:
                                                                                                • API String ID: 1454806937-0
                                                                                                • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                • _free.LIBCMT ref: 00444714
                                                                                                • _free.LIBCMT ref: 0044472D
                                                                                                • _free.LIBCMT ref: 0044475F
                                                                                                • _free.LIBCMT ref: 00444768
                                                                                                • _free.LIBCMT ref: 00444774
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                • String ID: C
                                                                                                • API String ID: 1679612858-1037565863
                                                                                                • Opcode ID: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                • Opcode Fuzzy Hash: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: tcp$udp
                                                                                                • API String ID: 0-3725065008
                                                                                                • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                APIs
                                                                                                • ExitThread.KERNEL32 ref: 004017F4
                                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                • String ID: T=G$p[G$>G$>G
                                                                                                • API String ID: 1596592924-2461731529
                                                                                                • Opcode ID: 060fbae815ca74fcc89c057f3ca3201a7b647a0ea9831cfa2eedc3502e4513c6
                                                                                                • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                • Opcode Fuzzy Hash: 060fbae815ca74fcc89c057f3ca3201a7b647a0ea9831cfa2eedc3502e4513c6
                                                                                                • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                APIs
                                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                  • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                  • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                                                • String ID: TUF$TUFTUF$>G$DG$DG
                                                                                                • API String ID: 3114080316-72097156
                                                                                                • Opcode ID: 9d675812e21c4edee355bf5c13d9b4aae5657541a44311af8ef9872d0ed657c0
                                                                                                • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                • Opcode Fuzzy Hash: 9d675812e21c4edee355bf5c13d9b4aae5657541a44311af8ef9872d0ed657c0
                                                                                                • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                  • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                  • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                • String ID: .part
                                                                                                • API String ID: 1303771098-3499674018
                                                                                                • Opcode ID: 5610bc5f6e39d3a578a479bf42043ce2c794b33f9a6bdb85f7b999220e864034
                                                                                                • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                • Opcode Fuzzy Hash: 5610bc5f6e39d3a578a479bf42043ce2c794b33f9a6bdb85f7b999220e864034
                                                                                                • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                APIs
                                                                                                  • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                  • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                  • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                • API String ID: 3286818993-703403762
                                                                                                • Opcode ID: 3dd2e44a30b9e0726aafea5caaac72e33bd3badc141b86d0a3af8b333098f802
                                                                                                • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                • Opcode Fuzzy Hash: 3dd2e44a30b9e0726aafea5caaac72e33bd3badc141b86d0a3af8b333098f802
                                                                                                • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                APIs
                                                                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                  • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                                                                • API String ID: 1133728706-1738023494
                                                                                                • Opcode ID: fb6bd2806f06ec71fb5b304bda60ba0cad542d4ddec00b303a18f78be82dbe5b
                                                                                                • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                • Opcode Fuzzy Hash: fb6bd2806f06ec71fb5b304bda60ba0cad542d4ddec00b303a18f78be82dbe5b
                                                                                                • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                APIs
                                                                                                • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Console$Window$AllocOutputShow
                                                                                                • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                • API String ID: 4067487056-2527699604
                                                                                                • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                                                                • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                                                                • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                • __freea.LIBCMT ref: 00449B37
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                • __freea.LIBCMT ref: 00449B40
                                                                                                • __freea.LIBCMT ref: 00449B65
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 3864826663-0
                                                                                                • Opcode ID: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
                                                                                                • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                • Opcode Fuzzy Hash: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
                                                                                                • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                APIs
                                                                                                • SendInput.USER32 ref: 00418B08
                                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                  • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InputSend$Virtual
                                                                                                • String ID:
                                                                                                • API String ID: 1167301434-0
                                                                                                • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                APIs
                                                                                                • OpenClipboard.USER32 ref: 00415A46
                                                                                                • EmptyClipboard.USER32 ref: 00415A54
                                                                                                • CloseClipboard.USER32 ref: 00415A5A
                                                                                                • OpenClipboard.USER32 ref: 00415A61
                                                                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                • CloseClipboard.USER32 ref: 00415A89
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                • String ID:
                                                                                                • API String ID: 2172192267-0
                                                                                                • Opcode ID: 8c20eb73d0c573b3589a1d7e4d7d70423697efab0c1071ae27cfa6a5c3502862
                                                                                                • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                • Opcode Fuzzy Hash: 8c20eb73d0c573b3589a1d7e4d7d70423697efab0c1071ae27cfa6a5c3502862
                                                                                                • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00447EBC
                                                                                                • _free.LIBCMT ref: 00447EE0
                                                                                                • _free.LIBCMT ref: 00448067
                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                • _free.LIBCMT ref: 00448233
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                • String ID:
                                                                                                • API String ID: 314583886-0
                                                                                                • Opcode ID: b6bc52503377ed9d6f1f9e4f23e77935edc363574d887804d00f446c38a2ef84
                                                                                                • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                • Opcode Fuzzy Hash: b6bc52503377ed9d6f1f9e4f23e77935edc363574d887804d00f446c38a2ef84
                                                                                                • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                APIs
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                • _free.LIBCMT ref: 00444086
                                                                                                • _free.LIBCMT ref: 0044409D
                                                                                                • _free.LIBCMT ref: 004440BC
                                                                                                • _free.LIBCMT ref: 004440D7
                                                                                                • _free.LIBCMT ref: 004440EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$AllocateHeap
                                                                                                • String ID: J7D
                                                                                                • API String ID: 3033488037-1677391033
                                                                                                • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                APIs
                                                                                                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                • __fassign.LIBCMT ref: 0044A180
                                                                                                • __fassign.LIBCMT ref: 0044A19B
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1324828854-0
                                                                                                • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID: HE$HE
                                                                                                • API String ID: 269201875-1978648262
                                                                                                • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                APIs
                                                                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                                                • __fassign.LIBCMT ref: 1000954F
                                                                                                • __fassign.LIBCMT ref: 1000956A
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                                                • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1324828854-0
                                                                                                • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                APIs
                                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                  • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                  • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                • String ID: PgF
                                                                                                • API String ID: 2180151492-654241383
                                                                                                • Opcode ID: 159c1e84a2f93b72ade8697b092ad18f3883c1f87a00b09f3a89ddcac0a0cbdd
                                                                                                • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                • Opcode Fuzzy Hash: 159c1e84a2f93b72ade8697b092ad18f3883c1f87a00b09f3a89ddcac0a0cbdd
                                                                                                • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                                                                                • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                • Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                                                                                • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                • int.LIBCPMT ref: 0040FC0F
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                • String ID: P[G
                                                                                                • API String ID: 2536120697-571123470
                                                                                                • Opcode ID: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                                                                                • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                • Opcode Fuzzy Hash: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                                                                                • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                APIs
                                                                                                  • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                • _free.LIBCMT ref: 0044FD29
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 0044FD34
                                                                                                • _free.LIBCMT ref: 0044FD3F
                                                                                                • _free.LIBCMT ref: 0044FD93
                                                                                                • _free.LIBCMT ref: 0044FD9E
                                                                                                • _free.LIBCMT ref: 0044FDA9
                                                                                                • _free.LIBCMT ref: 0044FDB4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                APIs
                                                                                                  • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                • _free.LIBCMT ref: 100092AB
                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                • _free.LIBCMT ref: 100092B6
                                                                                                • _free.LIBCMT ref: 100092C1
                                                                                                • _free.LIBCMT ref: 10009315
                                                                                                • _free.LIBCMT ref: 10009320
                                                                                                • _free.LIBCMT ref: 1000932B
                                                                                                • _free.LIBCMT ref: 10009336
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                APIs
                                                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe), ref: 00406835
                                                                                                  • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                  • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                • CoUninitialize.OLE32 ref: 0040688E
                                                                                                Strings
                                                                                                • C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                                                                • [+] ShellExec success, xrefs: 00406873
                                                                                                • [+] before ShellExec, xrefs: 00406856
                                                                                                • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                                • String ID: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                • API String ID: 3851391207-924317877
                                                                                                • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                • int.LIBCPMT ref: 0040FEF2
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                • String ID: H]G
                                                                                                • API String ID: 2536120697-1717957184
                                                                                                • Opcode ID: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                                                                                • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                • Opcode Fuzzy Hash: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                                                                                • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                APIs
                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                Strings
                                                                                                • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                • UserProfile, xrefs: 0040B2B4
                                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteErrorFileLast
                                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                • API String ID: 2018770650-304995407
                                                                                                • Opcode ID: dd78de24b3325a0bfbf2949613afc2d358e081220bc636fac14671edb4b67a18
                                                                                                • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                • Opcode Fuzzy Hash: dd78de24b3325a0bfbf2949613afc2d358e081220bc636fac14671edb4b67a18
                                                                                                • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                Strings
                                                                                                • C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, xrefs: 00406927
                                                                                                • \o, xrefs: 00406909
                                                                                                • Rmc-QYW18E, xrefs: 0040693F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: \o$C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe$Rmc-QYW18E
                                                                                                • API String ID: 0-1963782946
                                                                                                • Opcode ID: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                                                                                • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                • Opcode Fuzzy Hash: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                                                                                • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                APIs
                                                                                                • __allrem.LIBCMT ref: 00439789
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                • __allrem.LIBCMT ref: 004397BC
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                • __allrem.LIBCMT ref: 004397F1
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                • String ID:
                                                                                                • API String ID: 1992179935-0
                                                                                                • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                • __freea.LIBCMT ref: 10008A08
                                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                • __freea.LIBCMT ref: 10008A11
                                                                                                • __freea.LIBCMT ref: 10008A36
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1414292761-0
                                                                                                • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __cftoe
                                                                                                • String ID:
                                                                                                • API String ID: 4189289331-0
                                                                                                • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16
                                                                                                • String ID: a/p$am/pm
                                                                                                • API String ID: 3509577899-3206640213
                                                                                                • Opcode ID: e0c58fd508ac7f9020f233231798530ee610dc717e528da9a7e0b991552c4189
                                                                                                • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                • Opcode Fuzzy Hash: e0c58fd508ac7f9020f233231798530ee610dc717e528da9a7e0b991552c4189
                                                                                                • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                APIs
                                                                                                • _strlen.LIBCMT ref: 10001607
                                                                                                • _strcat.LIBCMT ref: 1000161D
                                                                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                • String ID:
                                                                                                • API String ID: 1922816806-0
                                                                                                • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                APIs
                                                                                                • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$AttributesFilelstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 3594823470-0
                                                                                                • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                • String ID:
                                                                                                • API String ID: 493672254-0
                                                                                                • Opcode ID: 68f1e835941cc6574ae3172da8245a4dbba7b98562f75027ccb4571b71c43179
                                                                                                • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                • Opcode Fuzzy Hash: 68f1e835941cc6574ae3172da8245a4dbba7b98562f75027ccb4571b71c43179
                                                                                                • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                • _free.LIBCMT ref: 00446EF6
                                                                                                • _free.LIBCMT ref: 00446F1E
                                                                                                • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                • _abort.LIBCMT ref: 00446F3D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 3160817290-0
                                                                                                • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                • _free.LIBCMT ref: 10005B2D
                                                                                                • _free.LIBCMT ref: 10005B55
                                                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                • _abort.LIBCMT ref: 10005B74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 3160817290-0
                                                                                                • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: cb23a265b501da1ed9a271a63ec08baaa1bf9c1cf5a7cec22900b30d8e19d8fa
                                                                                                • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                • Opcode Fuzzy Hash: cb23a265b501da1ed9a271a63ec08baaa1bf9c1cf5a7cec22900b30d8e19d8fa
                                                                                                • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: 87463e1bdf8bb651a0013945517c704a9b2de3a64a82b3cc186aeafb224c7010
                                                                                                • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                • Opcode Fuzzy Hash: 87463e1bdf8bb651a0013945517c704a9b2de3a64a82b3cc186aeafb224c7010
                                                                                                • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: ab1a1cc1830ffa19df902a2de4304976c1de8e56a3f0d841ebfd0113734f6356
                                                                                                • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                • Opcode Fuzzy Hash: ab1a1cc1830ffa19df902a2de4304976c1de8e56a3f0d841ebfd0113734f6356
                                                                                                • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                APIs
                                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Enum$InfoQueryValue
                                                                                                • String ID: [regsplt]$DG
                                                                                                • API String ID: 3554306468-1089238109
                                                                                                • Opcode ID: aa434b596bc7cfc96ee37101ce23c477f57ee037bc457f691900a854acfd6d81
                                                                                                • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                • Opcode Fuzzy Hash: aa434b596bc7cfc96ee37101ce23c477f57ee037bc457f691900a854acfd6d81
                                                                                                • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000104), ref: 00442714
                                                                                                • _free.LIBCMT ref: 004427DF
                                                                                                • _free.LIBCMT ref: 004427E9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$FileModuleName
                                                                                                • String ID: 8(n$C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                                • API String ID: 2506810119-1441736912
                                                                                                • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                APIs
                                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                • API String ID: 4036392271-1520055953
                                                                                                • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                APIs
                                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                • API String ID: 2974294136-753205382
                                                                                                • Opcode ID: a1cc00de9957da759d23a8e4cc62257681437398d2961bd30ab7f179f304f9a5
                                                                                                • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                • Opcode Fuzzy Hash: a1cc00de9957da759d23a8e4cc62257681437398d2961bd30ab7f179f304f9a5
                                                                                                • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                • wsprintfW.USER32 ref: 0040A905
                                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventLocalTimewsprintf
                                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                • API String ID: 1497725170-248792730
                                                                                                • Opcode ID: 0acfec947856b69bf132d91d358ab5bc594aef04b3e24661333035c5e4e38810
                                                                                                • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                • Opcode Fuzzy Hash: 0acfec947856b69bf132d91d358ab5bc594aef04b3e24661333035c5e4e38810
                                                                                                • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                • String ID: `@$x~p
                                                                                                • API String ID: 2583163307-1544282537
                                                                                                • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                                • String ID: `AG
                                                                                                • API String ID: 1958988193-3058481221
                                                                                                • Opcode ID: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                                                                                • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                • Opcode Fuzzy Hash: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                                                                                • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                APIs
                                                                                                • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                • String ID: 0$MsgWindowClass
                                                                                                • API String ID: 2877667751-2410386613
                                                                                                • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                APIs
                                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                Strings
                                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreateProcess
                                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                • API String ID: 2922976086-4183131282
                                                                                                • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                APIs
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                • SetEvent.KERNEL32(000002F0), ref: 00404AF9
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                • String ID: KeepAlive | Disabled
                                                                                                • API String ID: 2993684571-305739064
                                                                                                • Opcode ID: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                                                                                                • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                • Opcode Fuzzy Hash: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                                                                                                • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                APIs
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                • String ID: Alarm triggered
                                                                                                • API String ID: 614609389-2816303416
                                                                                                • Opcode ID: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                                                                                                • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                • Opcode Fuzzy Hash: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                                                                                                • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                APIs
                                                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                Strings
                                                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                • API String ID: 3024135584-2418719853
                                                                                                • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                                • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                • Opcode Fuzzy Hash: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                                • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                  • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: H_prologSleep
                                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                • API String ID: 3469354165-3547787478
                                                                                                • Opcode ID: 653e1022192f8aa065086298c24fea73a52b39d1b24894ddea56e7c317a4b38e
                                                                                                • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                • Opcode Fuzzy Hash: 653e1022192f8aa065086298c24fea73a52b39d1b24894ddea56e7c317a4b38e
                                                                                                • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                                                                • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                                                                • __freea.LIBCMT ref: 0044FFC4
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                • String ID:
                                                                                                • API String ID: 313313983-0
                                                                                                • Opcode ID: 88201f02e49098e6f592975d0299b58774541eebf8c41212138823b53665fa5d
                                                                                                • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                • Opcode Fuzzy Hash: 88201f02e49098e6f592975d0299b58774541eebf8c41212138823b53665fa5d
                                                                                                • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                • _free.LIBCMT ref: 0044E1A0
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                • String ID:
                                                                                                • API String ID: 336800556-0
                                                                                                • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                • _free.LIBCMT ref: 100071B8
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                • String ID:
                                                                                                • API String ID: 336800556-0
                                                                                                • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000000,?,?,00445359,00446B42,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578), ref: 00446F48
                                                                                                • _free.LIBCMT ref: 00446F7D
                                                                                                • _free.LIBCMT ref: 00446FA4
                                                                                                • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                                                                • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free
                                                                                                • String ID:
                                                                                                • API String ID: 3170660625-0
                                                                                                • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                • _free.LIBCMT ref: 10005BB4
                                                                                                • _free.LIBCMT ref: 10005BDB
                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free
                                                                                                • String ID:
                                                                                                • API String ID: 3170660625-0
                                                                                                • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                APIs
                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                • String ID:
                                                                                                • API String ID: 2951400881-0
                                                                                                • Opcode ID: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                                                                                • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                • Opcode Fuzzy Hash: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                                                                                • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$lstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 493641738-0
                                                                                                • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 0044F7B5
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 0044F7C7
                                                                                                • _free.LIBCMT ref: 0044F7D9
                                                                                                • _free.LIBCMT ref: 0044F7EB
                                                                                                • _free.LIBCMT ref: 0044F7FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 100091D0
                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                • _free.LIBCMT ref: 100091E2
                                                                                                • _free.LIBCMT ref: 100091F4
                                                                                                • _free.LIBCMT ref: 10009206
                                                                                                • _free.LIBCMT ref: 10009218
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00443305
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 00443317
                                                                                                • _free.LIBCMT ref: 0044332A
                                                                                                • _free.LIBCMT ref: 0044333B
                                                                                                • _free.LIBCMT ref: 0044334C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 1000536F
                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                • _free.LIBCMT ref: 10005381
                                                                                                • _free.LIBCMT ref: 10005394
                                                                                                • _free.LIBCMT ref: 100053A5
                                                                                                • _free.LIBCMT ref: 100053B6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                APIs
                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                • String ID: (FG
                                                                                                • API String ID: 3142014140-2273637114
                                                                                                • Opcode ID: fda56e45b393d4fbe729944c23874229a9f0d2b36fec767842575fa95d0cb5ce
                                                                                                • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                • Opcode Fuzzy Hash: fda56e45b393d4fbe729944c23874229a9f0d2b36fec767842575fa95d0cb5ce
                                                                                                • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                APIs
                                                                                                • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                • _free.LIBCMT ref: 0044D5C5
                                                                                                  • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,?,00414BBD,?,00000000,00000000,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                  • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                                                                  • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                • String ID: *?$.
                                                                                                • API String ID: 2812119850-3972193922
                                                                                                • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                APIs
                                                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                  • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                  • Part of subcall function 0040428C: connect.WS2_32(?,00707240,00000010), ref: 004042A5
                                                                                                  • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                  • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                • String ID: XCG$`AG$>G
                                                                                                • API String ID: 2334542088-2372832151
                                                                                                • Opcode ID: 42bc51c78dee6acbefb86a42c13474efe691e96bf1385950867561e892f876e1
                                                                                                • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                • Opcode Fuzzy Hash: 42bc51c78dee6acbefb86a42c13474efe691e96bf1385950867561e892f876e1
                                                                                                • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe,00000104), ref: 10004C1D
                                                                                                • _free.LIBCMT ref: 10004CE8
                                                                                                • _free.LIBCMT ref: 10004CF2
                                                                                                Strings
                                                                                                • C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$FileModuleName
                                                                                                • String ID: C:\Users\user\Desktop\1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe
                                                                                                • API String ID: 2506810119-400024431
                                                                                                • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                • API String ID: 368326130-2663660666
                                                                                                • Opcode ID: e8a549f5c5cc42fa25f038c5153f07e649d559ba3fdd5c36896a34310632fdc4
                                                                                                • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                • Opcode Fuzzy Hash: e8a549f5c5cc42fa25f038c5153f07e649d559ba3fdd5c36896a34310632fdc4
                                                                                                • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                APIs
                                                                                                • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                                • String ID: Offline Keylogger Started
                                                                                                • API String ID: 465354869-4114347211
                                                                                                • Opcode ID: cb8a03be056689720b60d86a3406a6e62e156d1a3bd4db580f81fd222f69def5
                                                                                                • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                • Opcode Fuzzy Hash: cb8a03be056689720b60d86a3406a6e62e156d1a3bd4db580f81fd222f69def5
                                                                                                • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                APIs
                                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                                • String ID: Online Keylogger Started
                                                                                                • API String ID: 112202259-1258561607
                                                                                                • Opcode ID: 790fcc5922756c448fefe1602dd0fb8a744b0b9e84c93640108f6d754dbc134a
                                                                                                • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                • Opcode Fuzzy Hash: 790fcc5922756c448fefe1602dd0fb8a744b0b9e84c93640108f6d754dbc134a
                                                                                                • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                APIs
                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: TUF$alarm.wav$xIG
                                                                                                • API String ID: 1174141254-2188790166
                                                                                                • Opcode ID: f5716c598d93938de6c1b64b86aecc22f848ba1ae643d7b2288a8514a34d2b5c
                                                                                                • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                • Opcode Fuzzy Hash: f5716c598d93938de6c1b64b86aecc22f848ba1ae643d7b2288a8514a34d2b5c
                                                                                                • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                                • String ID: Connection Timeout
                                                                                                • API String ID: 2055531096-499159329
                                                                                                • Opcode ID: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                                                                                                • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                • Opcode Fuzzy Hash: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                                                                                                • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                APIs
                                                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041277F
                                                                                                • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc, \o), ref: 004127AD
                                                                                                • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc, \o), ref: 004127B8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 1818849710-4028850238
                                                                                                • Opcode ID: 7fb84232b7661129f93bed74f5109d0e76784bc5d303e4d247da168f20c3a91f
                                                                                                • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                • Opcode Fuzzy Hash: 7fb84232b7661129f93bed74f5109d0e76784bc5d303e4d247da168f20c3a91f
                                                                                                • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                • String ID: bad locale name
                                                                                                • API String ID: 3628047217-1405518554
                                                                                                • Opcode ID: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                                                                                • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                • Opcode Fuzzy Hash: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                                                                                • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExecuteShell
                                                                                                • String ID: /C $cmd.exe$open
                                                                                                • API String ID: 587946157-3896048727
                                                                                                • Opcode ID: a342b09abf055597aed8f6fcd2cf2a15ee069eaa9ef8e66675d254ea24c1838a
                                                                                                • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                • Opcode Fuzzy Hash: a342b09abf055597aed8f6fcd2cf2a15ee069eaa9ef8e66675d254ea24c1838a
                                                                                                • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                APIs
                                                                                                • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26, \o,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 3123878439-4028850238
                                                                                                • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                • String ID:
                                                                                                • API String ID: 1036877536-0
                                                                                                • Opcode ID: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                                • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                • Opcode Fuzzy Hash: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                                • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                • __freea.LIBCMT ref: 100087D5
                                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                • String ID:
                                                                                                • API String ID: 2652629310-0
                                                                                                • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                APIs
                                                                                                Strings
                                                                                                • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep
                                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                • API String ID: 3472027048-1236744412
                                                                                                • Opcode ID: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                                                                                                • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                • Opcode Fuzzy Hash: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                                                                                                • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                APIs
                                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                                • String ID: \o$0?o$exepath
                                                                                                • API String ID: 4119054056-1779792021
                                                                                                • Opcode ID: ce40ddf8ade15cbc55dad7ca55a643431616a938a18cec2763378ea7843a65e0
                                                                                                • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                • Opcode Fuzzy Hash: ce40ddf8ade15cbc55dad7ca55a643431616a938a18cec2763378ea7843a65e0
                                                                                                • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: SystemTimes$Sleep__aulldiv
                                                                                                • String ID:
                                                                                                • API String ID: 188215759-0
                                                                                                • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                                • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                                APIs
                                                                                                  • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                  • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                  • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                                • String ID: [ $ ]
                                                                                                • API String ID: 3309952895-93608704
                                                                                                • Opcode ID: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                                                                                • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                • Opcode Fuzzy Hash: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                                                                                • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandlePointerWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3604237281-0
                                                                                                • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                APIs
                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                  • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                  • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                • String ID:
                                                                                                • API String ID: 737400349-0
                                                                                                • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00414BBD,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                • GetLastError.KERNEL32(?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 3177248105-0
                                                                                                • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 3177248105-0
                                                                                                • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                APIs
                                                                                                • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: MetricsSystem
                                                                                                • String ID:
                                                                                                • API String ID: 4116985748-0
                                                                                                • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                APIs
                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorHandling__start
                                                                                                • String ID: pow
                                                                                                • API String ID: 3213639722-2276729525
                                                                                                • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 1000655C
                                                                                                  • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                                                  • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                                  • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                • String ID: *?$.
                                                                                                • API String ID: 2667617558-3972193922
                                                                                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                                APIs
                                                                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Info
                                                                                                • String ID: $fD
                                                                                                • API String ID: 1807457897-3092946448
                                                                                                • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                APIs
                                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                                                                  • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                                                                  • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                  • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                • String ID: image/jpeg
                                                                                                • API String ID: 1291196975-3785015651
                                                                                                • Opcode ID: fa7ad5d4cca06413aa3153280c9deb26addd226233a17832a60259afbc4e9117
                                                                                                • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                                                                • Opcode Fuzzy Hash: fa7ad5d4cca06413aa3153280c9deb26addd226233a17832a60259afbc4e9117
                                                                                                • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                                APIs
                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ACP$OCP
                                                                                                • API String ID: 0-711371036
                                                                                                • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                APIs
                                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                                                                  • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                                                                  • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                  • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                • String ID: image/png
                                                                                                • API String ID: 1291196975-2966254431
                                                                                                • Opcode ID: 7c847f4afdc389cf9a271c0bd5ee0ce482c286e0475bb26b27d0e01e1af6b93a
                                                                                                • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                                                                • Opcode Fuzzy Hash: 7c847f4afdc389cf9a271c0bd5ee0ce482c286e0475bb26b27d0e01e1af6b93a
                                                                                                • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                Strings
                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime
                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                • API String ID: 481472006-1507639952
                                                                                                • Opcode ID: c85f398c135e6bfb2ddcb662ac4b5b76fbeb043ec222003978e5f459600d5f93
                                                                                                • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                • Opcode Fuzzy Hash: c85f398c135e6bfb2ddcb662ac4b5b76fbeb043ec222003978e5f459600d5f93
                                                                                                • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strlen
                                                                                                • String ID: : $Se.
                                                                                                • API String ID: 4218353326-4089948878
                                                                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime
                                                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                                                • API String ID: 481472006-2430845779
                                                                                                • Opcode ID: ffbca637f7398eabbe71b31d60376a068a264cf4888f2c1ea49432b73ef532ec
                                                                                                • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                • Opcode Fuzzy Hash: ffbca637f7398eabbe71b31d60376a068a264cf4888f2c1ea49432b73ef532ec
                                                                                                • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                APIs
                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: QueryValue
                                                                                                • String ID: TUF
                                                                                                • API String ID: 3660427363-3431404234
                                                                                                • Opcode ID: 1636fbb0ac47c152b1cc20f2060babeef58eb75f28316eb00dcc0bc63989a3ea
                                                                                                • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                                                                                • Opcode Fuzzy Hash: 1636fbb0ac47c152b1cc20f2060babeef58eb75f28316eb00dcc0bc63989a3ea
                                                                                                • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                                                                                APIs
                                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                • String ID: Online Keylogger Stopped
                                                                                                • API String ID: 1623830855-1496645233
                                                                                                • Opcode ID: a317c7f28f18b2fbfb0fce45f8699a20ca887b173ff606de2ff24ca0fd2e1774
                                                                                                • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                • Opcode Fuzzy Hash: a317c7f28f18b2fbfb0fce45f8699a20ca887b173ff606de2ff24ca0fd2e1774
                                                                                                • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                APIs
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                  • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                • String ID: Unknown exception
                                                                                                • API String ID: 3476068407-410509341
                                                                                                • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                APIs
                                                                                                • waveInPrepareHeader.WINMM(006FEFD8,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                • waveInAddBuffer.WINMM(006FEFD8,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                                • String ID: T=G
                                                                                                • API String ID: 2315374483-379896819
                                                                                                • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                APIs
                                                                                                • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocaleValid
                                                                                                • String ID: IsValidLocaleName$j=D
                                                                                                • API String ID: 1901932003-3128777819
                                                                                                • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: T=G$T=G
                                                                                                • API String ID: 3519838083-3732185208
                                                                                                • Opcode ID: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                                                                                • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                • Opcode Fuzzy Hash: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                                                                                • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                APIs
                                                                                                • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                  • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                  • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                  • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                  • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                  • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                • String ID: [AltL]$[AltR]
                                                                                                • API String ID: 2738857842-2658077756
                                                                                                • Opcode ID: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                                                                                                • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                • Opcode Fuzzy Hash: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                                                                                                • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00448825
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast_free
                                                                                                • String ID: `@$`@
                                                                                                • API String ID: 1353095263-20545824
                                                                                                • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                APIs
                                                                                                • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: State
                                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                                • API String ID: 1649606143-2446555240
                                                                                                • Opcode ID: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                                                                                                • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                • Opcode Fuzzy Hash: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                                                                                                • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                APIs
                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000, \o,004742F8,?,pth_unenc), ref: 00412988
                                                                                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                Strings
                                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteOpenValue
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                • API String ID: 2654517830-1051519024
                                                                                                • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                APIs
                                                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteDirectoryFileRemove
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 3325800564-4028850238
                                                                                                • Opcode ID: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                                                                                • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                • Opcode Fuzzy Hash: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                                                                                • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                APIs
                                                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 1872346434-4028850238
                                                                                                • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CountInfoInputLastTick
                                                                                                • String ID: >G
                                                                                                • API String ID: 3478931382-1296849874
                                                                                                • Opcode ID: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                                                                                • Instruction ID: 0f25e8e52f9a29d92835049ed671f456ff59a02a7b46a548dc943f175ac88346
                                                                                                • Opcode Fuzzy Hash: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                                                                                • Instruction Fuzzy Hash: FCD0127040020DBFCB00DFE4EC4D98DBFFCEB00349F104168A005A2111DB70E6448B24
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CommandLine
                                                                                                • String ID: 8(n
                                                                                                • API String ID: 3253501508-577671119
                                                                                                • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                                • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                                                                • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                                • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4482576420.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4482561350.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4482576420.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_10000000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CommandLine
                                                                                                • String ID: 8(n
                                                                                                • API String ID: 3253501508-577671119
                                                                                                • Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                                                • Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
                                                                                                • Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                                                • Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.4481159811.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.4481107212.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481209972.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481263424.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.4481301247.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 1717984340-0
                                                                                                • Opcode ID: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                                • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                • Opcode Fuzzy Hash: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                                • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                                                                Execution Graph

                                                                                                Execution Coverage:6.4%
                                                                                                Dynamic/Decrypted Code Coverage:9.2%
                                                                                                Signature Coverage:2.1%
                                                                                                Total number of Nodes:2000
                                                                                                Total number of Limit Nodes:72
                                                                                                execution_graph 37630 415321 realloc 37631 41534d 37630->37631 37632 415340 37630->37632 37634 416760 11 API calls 37631->37634 37634->37632 37635 44dea5 37636 44deb5 FreeLibrary 37635->37636 37637 44dec3 37635->37637 37636->37637 37638 4287c1 37639 4287d2 37638->37639 37642 429ac1 37638->37642 37643 428818 37639->37643 37644 42881f 37639->37644 37653 425711 37639->37653 37640 4259da 37701 416760 11 API calls 37640->37701 37672 425ad6 37642->37672 37708 415c56 11 API calls 37642->37708 37675 42013a 37643->37675 37703 420244 97 API calls 37644->37703 37646 4260dd 37702 424251 120 API calls 37646->37702 37649 4259c2 37649->37672 37695 415c56 11 API calls 37649->37695 37653->37640 37653->37642 37653->37649 37656 429a4d 37653->37656 37659 422aeb memset memcpy memcpy 37653->37659 37663 4260a1 37653->37663 37671 425a38 37653->37671 37691 4227f0 memset memcpy 37653->37691 37692 422b84 15 API calls 37653->37692 37693 422b5d memset memcpy memcpy 37653->37693 37694 422640 13 API calls 37653->37694 37696 4241fc 11 API calls 37653->37696 37697 42413a 90 API calls 37653->37697 37657 429a66 37656->37657 37658 429a9b 37656->37658 37704 415c56 11 API calls 37657->37704 37662 429a96 37658->37662 37706 416760 11 API calls 37658->37706 37659->37653 37707 424251 120 API calls 37662->37707 37700 415c56 11 API calls 37663->37700 37665 429a7a 37705 416760 11 API calls 37665->37705 37671->37649 37698 422640 13 API calls 37671->37698 37699 4226e0 12 API calls 37671->37699 37676 42014c 37675->37676 37679 420151 37675->37679 37718 41e466 97 API calls 37676->37718 37678 420162 37678->37653 37679->37678 37680 4201b3 37679->37680 37681 420229 37679->37681 37682 4201b8 37680->37682 37683 4201dc 37680->37683 37681->37678 37684 41fd5e 86 API calls 37681->37684 37709 41fbdb 37682->37709 37683->37678 37687 4201ff 37683->37687 37715 41fc4c 37683->37715 37684->37678 37687->37678 37690 42013a 97 API calls 37687->37690 37690->37678 37691->37653 37692->37653 37693->37653 37694->37653 37695->37640 37696->37653 37697->37653 37698->37671 37699->37671 37700->37640 37701->37646 37702->37672 37703->37653 37704->37665 37705->37662 37706->37662 37707->37642 37708->37640 37710 41fbf1 37709->37710 37711 41fbf8 37709->37711 37714 41fc39 37710->37714 37733 4446ce 11 API calls 37710->37733 37723 41ee26 37711->37723 37714->37678 37719 41fd5e 37714->37719 37716 41ee6b 86 API calls 37715->37716 37717 41fc5d 37716->37717 37717->37683 37718->37679 37720 41fd65 37719->37720 37721 41fdab 37720->37721 37722 41fbdb 86 API calls 37720->37722 37721->37678 37722->37720 37724 41ee41 37723->37724 37725 41ee32 37723->37725 37734 41edad 37724->37734 37737 4446ce 11 API calls 37725->37737 37728 41ee3c 37728->37710 37731 41ee58 37731->37728 37739 41ee6b 37731->37739 37733->37714 37743 41be52 37734->37743 37737->37728 37738 41eb85 11 API calls 37738->37731 37740 41ee70 37739->37740 37741 41ee78 37739->37741 37796 41bf99 86 API calls 37740->37796 37741->37728 37744 41be6f 37743->37744 37745 41be5f 37743->37745 37750 41be8c 37744->37750 37775 418c63 memset memset 37744->37775 37774 4446ce 11 API calls 37745->37774 37747 41be69 37747->37728 37747->37738 37750->37747 37751 41bf3a 37750->37751 37753 41bed1 37750->37753 37755 41bee7 37750->37755 37778 4446ce 11 API calls 37751->37778 37754 41bef0 37753->37754 37757 41bee2 37753->37757 37754->37755 37756 41bf01 37754->37756 37755->37747 37779 41a453 86 API calls 37755->37779 37758 41bf24 memset 37756->37758 37760 41bf14 37756->37760 37776 418a6d memset memcpy memset 37756->37776 37764 41ac13 37757->37764 37758->37747 37777 41a223 memset memcpy memset 37760->37777 37763 41bf20 37763->37758 37765 41ac52 37764->37765 37766 41ac3f memset 37764->37766 37768 41ac6a 37765->37768 37780 41dc14 19 API calls 37765->37780 37771 41acd9 37766->37771 37769 41aca1 37768->37769 37781 41519d 37768->37781 37769->37771 37772 41acc0 memset 37769->37772 37773 41accd memcpy 37769->37773 37771->37755 37772->37771 37773->37771 37774->37747 37775->37750 37776->37760 37777->37763 37778->37755 37780->37768 37784 4175ed 37781->37784 37792 417570 SetFilePointer 37784->37792 37787 41760a ReadFile 37788 417637 37787->37788 37789 417627 GetLastError 37787->37789 37790 4151b3 37788->37790 37791 41763e memset 37788->37791 37789->37790 37790->37769 37791->37790 37793 41759c GetLastError 37792->37793 37795 4175b2 37792->37795 37794 4175a8 GetLastError 37793->37794 37793->37795 37794->37795 37795->37787 37795->37790 37796->37741 37797 417bc5 37798 417c61 37797->37798 37799 417bda 37797->37799 37799->37798 37800 417bf6 UnmapViewOfFile CloseHandle 37799->37800 37802 417c2c 37799->37802 37804 4175b7 37799->37804 37800->37799 37800->37800 37802->37799 37809 41851e 20 API calls 37802->37809 37805 4175d6 CloseHandle 37804->37805 37806 4175c8 37805->37806 37807 4175df 37805->37807 37806->37807 37808 4175ce Sleep 37806->37808 37807->37799 37808->37805 37809->37802 37810 4152c7 malloc 37811 4152ef 37810->37811 37813 4152e2 37810->37813 37814 416760 11 API calls 37811->37814 37814->37813 37815 415308 free 37816 41276d 37817 41277d 37816->37817 37859 4044a4 LoadLibraryW 37817->37859 37819 412785 37820 412789 37819->37820 37867 414b81 37819->37867 37823 4127c8 37873 412465 memset ??2@YAPAXI 37823->37873 37825 4127ea 37885 40ac21 37825->37885 37830 412813 37903 40dd07 memset 37830->37903 37831 412827 37908 40db69 memset 37831->37908 37834 412822 37929 4125b6 ??3@YAXPAX 37834->37929 37836 40ada2 _wcsicmp 37838 41283d 37836->37838 37838->37834 37841 412863 CoInitialize 37838->37841 37913 41268e 37838->37913 37933 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37841->37933 37844 41296f 37935 40b633 37844->37935 37846 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37851 412957 CoUninitialize 37846->37851 37856 4128ca 37846->37856 37851->37834 37852 4128d0 TranslateAcceleratorW 37853 412941 GetMessageW 37852->37853 37852->37856 37853->37851 37853->37852 37854 412909 IsDialogMessageW 37854->37853 37854->37856 37855 4128fd IsDialogMessageW 37855->37853 37855->37854 37856->37852 37856->37854 37856->37855 37857 41292b TranslateMessage DispatchMessageW 37856->37857 37858 41291f IsDialogMessageW 37856->37858 37857->37853 37858->37853 37858->37857 37860 4044f7 37859->37860 37861 4044cf GetProcAddress 37859->37861 37865 404507 MessageBoxW 37860->37865 37866 40451e 37860->37866 37862 4044e8 FreeLibrary 37861->37862 37863 4044df 37861->37863 37862->37860 37864 4044f3 37862->37864 37863->37862 37864->37860 37865->37819 37866->37819 37868 414b8a 37867->37868 37869 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37867->37869 37939 40a804 memset 37868->37939 37869->37823 37872 414b9e GetProcAddress 37872->37869 37874 4124e0 37873->37874 37875 412505 ??2@YAPAXI 37874->37875 37876 41251c 37875->37876 37881 412521 37875->37881 37961 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37876->37961 37950 444722 37881->37950 37884 41259b wcscpy 37884->37825 37966 40b1ab free free 37885->37966 37887 40ad76 37967 40aa04 37887->37967 37890 40a9ce malloc memcpy free free 37893 40ac5c 37890->37893 37891 40ad4b 37891->37887 37990 40a9ce 37891->37990 37893->37887 37893->37890 37893->37891 37894 40ace7 free 37893->37894 37970 40a8d0 37893->37970 37982 4099f4 37893->37982 37894->37893 37898 40a8d0 7 API calls 37898->37887 37899 40ada2 37900 40adc9 37899->37900 37901 40adaa 37899->37901 37900->37830 37900->37831 37901->37900 37902 40adb3 _wcsicmp 37901->37902 37902->37900 37902->37901 37995 40dce0 37903->37995 37905 40dd3a GetModuleHandleW 38000 40dba7 37905->38000 37909 40dce0 3 API calls 37908->37909 37910 40db99 37909->37910 38072 40dae1 37910->38072 38086 402f3a 37913->38086 37915 412766 37915->37834 37915->37841 37916 4126d3 _wcsicmp 37917 4126a8 37916->37917 37917->37915 37917->37916 37919 41270a 37917->37919 38120 4125f8 7 API calls 37917->38120 37919->37915 38089 411ac5 37919->38089 37930 4125da 37929->37930 37931 4125f0 37930->37931 37932 4125e6 DeleteObject 37930->37932 37934 40b1ab free free 37931->37934 37932->37931 37933->37846 37934->37844 37936 40b640 37935->37936 37937 40b639 free 37935->37937 37938 40b1ab free free 37936->37938 37937->37936 37938->37820 37940 40a83b GetSystemDirectoryW 37939->37940 37941 40a84c wcscpy 37939->37941 37940->37941 37946 409719 wcslen 37941->37946 37944 40a881 LoadLibraryW 37945 40a886 37944->37945 37945->37869 37945->37872 37947 409724 37946->37947 37948 409739 wcscat LoadLibraryW 37946->37948 37947->37948 37949 40972c wcscat 37947->37949 37948->37944 37948->37945 37949->37948 37951 444732 37950->37951 37952 444728 DeleteObject 37950->37952 37962 409cc3 37951->37962 37952->37951 37954 412551 37955 4010f9 37954->37955 37956 401130 37955->37956 37957 401134 GetModuleHandleW LoadIconW 37956->37957 37958 401107 wcsncat 37956->37958 37959 40a7be 37957->37959 37958->37956 37960 40a7d2 37959->37960 37960->37884 37960->37960 37961->37881 37965 409bfd memset wcscpy 37962->37965 37964 409cdb CreateFontIndirectW 37964->37954 37965->37964 37966->37893 37968 40aa14 37967->37968 37969 40aa0a free 37967->37969 37968->37899 37969->37968 37971 40a8eb 37970->37971 37972 40a8df wcslen 37970->37972 37973 40a906 free 37971->37973 37974 40a90f 37971->37974 37972->37971 37975 40a919 37973->37975 37976 4099f4 3 API calls 37974->37976 37977 40a932 37975->37977 37978 40a929 free 37975->37978 37976->37975 37980 4099f4 3 API calls 37977->37980 37979 40a93e memcpy 37978->37979 37979->37893 37981 40a93d 37980->37981 37981->37979 37983 409a41 37982->37983 37984 4099fb malloc 37982->37984 37983->37893 37986 409a37 37984->37986 37987 409a1c 37984->37987 37986->37893 37988 409a30 free 37987->37988 37989 409a20 memcpy 37987->37989 37988->37986 37989->37988 37991 40a9e7 37990->37991 37992 40a9dc free 37990->37992 37993 4099f4 3 API calls 37991->37993 37994 40a9f2 37992->37994 37993->37994 37994->37898 38019 409bca GetModuleFileNameW 37995->38019 37997 40dce6 wcsrchr 37998 40dcf5 37997->37998 37999 40dcf9 wcscat 37997->37999 37998->37999 37999->37905 38020 44db70 38000->38020 38004 40dbfd 38023 4447d9 38004->38023 38007 40dc34 wcscpy wcscpy 38049 40d6f5 38007->38049 38008 40dc1f wcscpy 38008->38007 38011 40d6f5 3 API calls 38012 40dc73 38011->38012 38013 40d6f5 3 API calls 38012->38013 38014 40dc89 38013->38014 38015 40d6f5 3 API calls 38014->38015 38016 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38015->38016 38055 40da80 38016->38055 38019->37997 38021 40dbb4 memset memset 38020->38021 38022 409bca GetModuleFileNameW 38021->38022 38022->38004 38024 4447f4 38023->38024 38025 40dc1b 38024->38025 38026 444807 ??2@YAPAXI 38024->38026 38025->38007 38025->38008 38027 44481f 38026->38027 38028 444873 _snwprintf 38027->38028 38029 4448ab wcscpy 38027->38029 38062 44474a 8 API calls 38028->38062 38031 4448bb 38029->38031 38063 44474a 8 API calls 38031->38063 38032 4448a7 38032->38029 38032->38031 38034 4448cd 38064 44474a 8 API calls 38034->38064 38036 4448e2 38065 44474a 8 API calls 38036->38065 38038 4448f7 38066 44474a 8 API calls 38038->38066 38040 44490c 38067 44474a 8 API calls 38040->38067 38042 444921 38068 44474a 8 API calls 38042->38068 38044 444936 38069 44474a 8 API calls 38044->38069 38046 44494b 38070 44474a 8 API calls 38046->38070 38048 444960 ??3@YAXPAX 38048->38025 38050 44db70 38049->38050 38051 40d702 memset GetPrivateProfileStringW 38050->38051 38052 40d752 38051->38052 38053 40d75c WritePrivateProfileStringW 38051->38053 38052->38053 38054 40d758 38052->38054 38053->38054 38054->38011 38056 44db70 38055->38056 38057 40da8d memset 38056->38057 38058 40daac LoadStringW 38057->38058 38061 40dac6 38058->38061 38060 40dade 38060->37834 38061->38058 38061->38060 38071 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38061->38071 38062->38032 38063->38034 38064->38036 38065->38038 38066->38040 38067->38042 38068->38044 38069->38046 38070->38048 38071->38061 38082 409b98 GetFileAttributesW 38072->38082 38074 40daea 38075 40daef wcscpy wcscpy GetPrivateProfileIntW 38074->38075 38081 40db63 38074->38081 38083 40d65d GetPrivateProfileStringW 38075->38083 38077 40db3e 38084 40d65d GetPrivateProfileStringW 38077->38084 38079 40db4f 38085 40d65d GetPrivateProfileStringW 38079->38085 38081->37836 38082->38074 38083->38077 38084->38079 38085->38081 38121 40eaff 38086->38121 38090 411ae2 memset 38089->38090 38091 411b8f 38089->38091 38161 409bca GetModuleFileNameW 38090->38161 38103 411a8b 38091->38103 38093 411b0a wcsrchr 38094 411b22 wcscat 38093->38094 38095 411b1f 38093->38095 38162 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38094->38162 38095->38094 38097 411b67 38163 402afb 38097->38163 38101 411b7f 38219 40ea13 SendMessageW memset SendMessageW 38101->38219 38104 402afb 27 API calls 38103->38104 38105 411ac0 38104->38105 38106 4110dc 38105->38106 38107 41113e 38106->38107 38112 4110f0 38106->38112 38244 40969c LoadCursorW SetCursor 38107->38244 38109 411143 38245 4032b4 38109->38245 38263 444a54 38109->38263 38110 4110f7 _wcsicmp 38110->38112 38111 411157 38113 40ada2 _wcsicmp 38111->38113 38112->38107 38112->38110 38266 410c46 10 API calls 38112->38266 38116 411167 38113->38116 38114 4111af 38116->38114 38117 4111a6 qsort 38116->38117 38117->38114 38120->37917 38122 40eb10 38121->38122 38134 40e8e0 38122->38134 38125 40eb6c memcpy memcpy 38126 40ebb7 38125->38126 38126->38125 38127 40ebf2 ??2@YAPAXI ??2@YAPAXI 38126->38127 38129 40d134 16 API calls 38126->38129 38128 40ec65 38127->38128 38130 40ec2e ??2@YAPAXI 38127->38130 38144 40ea7f 38128->38144 38129->38126 38130->38128 38133 402f49 38133->37917 38135 40e8f2 38134->38135 38136 40e8eb ??3@YAXPAX 38134->38136 38137 40e900 38135->38137 38138 40e8f9 ??3@YAXPAX 38135->38138 38136->38135 38139 40e911 38137->38139 38140 40e90a ??3@YAXPAX 38137->38140 38138->38137 38141 40e931 ??2@YAPAXI ??2@YAPAXI 38139->38141 38142 40e921 ??3@YAXPAX 38139->38142 38143 40e92a ??3@YAXPAX 38139->38143 38140->38139 38141->38125 38142->38143 38143->38141 38145 40aa04 free 38144->38145 38146 40ea88 38145->38146 38147 40aa04 free 38146->38147 38148 40ea90 38147->38148 38149 40aa04 free 38148->38149 38150 40ea98 38149->38150 38151 40aa04 free 38150->38151 38152 40eaa0 38151->38152 38153 40a9ce 4 API calls 38152->38153 38154 40eab3 38153->38154 38155 40a9ce 4 API calls 38154->38155 38156 40eabd 38155->38156 38157 40a9ce 4 API calls 38156->38157 38158 40eac7 38157->38158 38159 40a9ce 4 API calls 38158->38159 38160 40ead1 38159->38160 38160->38133 38161->38093 38162->38097 38220 40b2cc 38163->38220 38165 402b0a 38166 40b2cc 27 API calls 38165->38166 38167 402b23 38166->38167 38168 40b2cc 27 API calls 38167->38168 38169 402b3a 38168->38169 38170 40b2cc 27 API calls 38169->38170 38171 402b54 38170->38171 38172 40b2cc 27 API calls 38171->38172 38173 402b6b 38172->38173 38174 40b2cc 27 API calls 38173->38174 38175 402b82 38174->38175 38176 40b2cc 27 API calls 38175->38176 38177 402b99 38176->38177 38178 40b2cc 27 API calls 38177->38178 38179 402bb0 38178->38179 38180 40b2cc 27 API calls 38179->38180 38181 402bc7 38180->38181 38182 40b2cc 27 API calls 38181->38182 38183 402bde 38182->38183 38184 40b2cc 27 API calls 38183->38184 38185 402bf5 38184->38185 38186 40b2cc 27 API calls 38185->38186 38187 402c0c 38186->38187 38188 40b2cc 27 API calls 38187->38188 38189 402c23 38188->38189 38190 40b2cc 27 API calls 38189->38190 38191 402c3a 38190->38191 38192 40b2cc 27 API calls 38191->38192 38193 402c51 38192->38193 38194 40b2cc 27 API calls 38193->38194 38195 402c68 38194->38195 38196 40b2cc 27 API calls 38195->38196 38197 402c7f 38196->38197 38198 40b2cc 27 API calls 38197->38198 38199 402c99 38198->38199 38200 40b2cc 27 API calls 38199->38200 38201 402cb3 38200->38201 38202 40b2cc 27 API calls 38201->38202 38203 402cd5 38202->38203 38204 40b2cc 27 API calls 38203->38204 38205 402cf0 38204->38205 38206 40b2cc 27 API calls 38205->38206 38207 402d0b 38206->38207 38208 40b2cc 27 API calls 38207->38208 38209 402d26 38208->38209 38210 40b2cc 27 API calls 38209->38210 38211 402d3e 38210->38211 38212 40b2cc 27 API calls 38211->38212 38213 402d59 38212->38213 38214 40b2cc 27 API calls 38213->38214 38215 402d78 38214->38215 38216 40b2cc 27 API calls 38215->38216 38217 402d93 38216->38217 38218 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38217->38218 38218->38101 38219->38091 38223 40b58d 38220->38223 38222 40b2d1 38222->38165 38224 40b5a4 GetModuleHandleW FindResourceW 38223->38224 38225 40b62e 38223->38225 38226 40b5c2 LoadResource 38224->38226 38228 40b5e7 38224->38228 38225->38222 38227 40b5d0 SizeofResource LockResource 38226->38227 38226->38228 38227->38228 38228->38225 38236 40afcf 38228->38236 38230 40b608 memcpy 38239 40b4d3 memcpy 38230->38239 38232 40b61e 38240 40b3c1 18 API calls 38232->38240 38234 40b626 38241 40b04b 38234->38241 38237 40b04b ??3@YAXPAX 38236->38237 38238 40afd7 ??2@YAPAXI 38237->38238 38238->38230 38239->38232 38240->38234 38242 40b051 ??3@YAXPAX 38241->38242 38243 40b05f 38241->38243 38242->38243 38243->38225 38244->38109 38246 4032c4 38245->38246 38247 40b633 free 38246->38247 38248 403316 38247->38248 38267 44553b 38248->38267 38252 403480 38465 40368c 15 API calls 38252->38465 38254 403489 38255 40b633 free 38254->38255 38257 403495 38255->38257 38256 40333c 38256->38252 38258 4033a9 memset memcpy 38256->38258 38259 4033ec wcscmp 38256->38259 38463 4028e7 11 API calls 38256->38463 38464 40f508 6 API calls 38256->38464 38257->38111 38258->38256 38258->38259 38259->38256 38262 403421 _wcsicmp 38262->38256 38264 444a64 FreeLibrary 38263->38264 38265 444a83 38263->38265 38264->38265 38265->38111 38266->38112 38268 445548 38267->38268 38269 445599 38268->38269 38466 40c768 38268->38466 38270 4455a8 memset 38269->38270 38277 4457f2 38269->38277 38549 403988 38270->38549 38280 445854 38277->38280 38651 403e2d memset memset memset memset memset 38277->38651 38278 4455e5 38289 445672 38278->38289 38294 44560f 38278->38294 38279 4458bb memset memset 38282 414c2e 17 API calls 38279->38282 38333 4458aa 38280->38333 38674 403c9c memset memset memset memset memset 38280->38674 38285 4458f9 38282->38285 38284 44595e memset memset 38292 414c2e 17 API calls 38284->38292 38293 40b2cc 27 API calls 38285->38293 38287 44558c 38533 444b06 38287->38533 38288 44557a 38288->38287 38747 4136c0 CoTaskMemFree 38288->38747 38560 403fbe memset memset memset memset memset 38289->38560 38290 445a00 memset memset 38697 414c2e 38290->38697 38291 445b22 38297 445bca 38291->38297 38298 445b38 memset memset memset 38291->38298 38302 44599c 38292->38302 38304 445909 38293->38304 38306 4087b3 338 API calls 38294->38306 38296 445849 38763 40b1ab free free 38296->38763 38305 445c8b memset memset 38297->38305 38371 445cf0 38297->38371 38309 445bd4 38298->38309 38310 445b98 38298->38310 38303 40b2cc 27 API calls 38302->38303 38317 4459ac 38303->38317 38314 409d1f 6 API calls 38304->38314 38318 414c2e 17 API calls 38305->38318 38315 445621 38306->38315 38307 44589f 38764 40b1ab free free 38307->38764 38308 445585 38748 41366b FreeLibrary 38308->38748 38324 414c2e 17 API calls 38309->38324 38310->38309 38320 445ba2 38310->38320 38313 403335 38462 4452e5 45 API calls 38313->38462 38328 445919 38314->38328 38749 4454bf 20 API calls 38315->38749 38316 445823 38316->38296 38338 4087b3 338 API calls 38316->38338 38329 409d1f 6 API calls 38317->38329 38330 445cc9 38318->38330 38836 4099c6 wcslen 38320->38836 38321 4456b2 38751 40b1ab free free 38321->38751 38323 40b2cc 27 API calls 38334 445a4f 38323->38334 38325 445be2 38324->38325 38336 40b2cc 27 API calls 38325->38336 38326 445d3d 38356 40b2cc 27 API calls 38326->38356 38327 445d88 memset memset memset 38339 414c2e 17 API calls 38327->38339 38765 409b98 GetFileAttributesW 38328->38765 38340 4459bc 38329->38340 38341 409d1f 6 API calls 38330->38341 38331 445879 38331->38307 38352 4087b3 338 API calls 38331->38352 38333->38279 38357 44594a 38333->38357 38713 409d1f wcslen wcslen 38334->38713 38346 445bf3 38336->38346 38338->38316 38349 445dde 38339->38349 38832 409b98 GetFileAttributesW 38340->38832 38351 445ce1 38341->38351 38342 445bb3 38839 445403 memset 38342->38839 38343 445680 38343->38321 38583 4087b3 memset 38343->38583 38355 409d1f 6 API calls 38346->38355 38347 445928 38347->38357 38766 40b6ef 38347->38766 38358 40b2cc 27 API calls 38349->38358 38856 409b98 GetFileAttributesW 38351->38856 38352->38331 38354 40b2cc 27 API calls 38363 445a94 38354->38363 38365 445c07 38355->38365 38366 445d54 _wcsicmp 38356->38366 38357->38284 38370 4459ed 38357->38370 38369 445def 38358->38369 38359 4459cb 38359->38370 38379 40b6ef 253 API calls 38359->38379 38718 40ae18 38363->38718 38364 44566d 38364->38277 38634 413d4c 38364->38634 38375 445389 259 API calls 38365->38375 38376 445d71 38366->38376 38439 445d67 38366->38439 38368 445665 38750 40b1ab free free 38368->38750 38377 409d1f 6 API calls 38369->38377 38370->38290 38370->38291 38371->38313 38371->38326 38371->38327 38372 445389 259 API calls 38372->38297 38381 445c17 38375->38381 38857 445093 23 API calls 38376->38857 38384 445e03 38377->38384 38379->38370 38380 4456d8 38386 40b2cc 27 API calls 38380->38386 38387 40b2cc 27 API calls 38381->38387 38383 44563c 38383->38368 38389 4087b3 338 API calls 38383->38389 38858 409b98 GetFileAttributesW 38384->38858 38385 40b6ef 253 API calls 38385->38313 38391 4456e2 38386->38391 38392 445c23 38387->38392 38388 445d83 38388->38313 38389->38383 38752 413fa6 _wcsicmp _wcsicmp 38391->38752 38396 409d1f 6 API calls 38392->38396 38394 445e12 38401 445e6b 38394->38401 38408 40b2cc 27 API calls 38394->38408 38399 445c37 38396->38399 38397 445aa1 38400 445b17 38397->38400 38415 445ab2 memset 38397->38415 38428 409d1f 6 API calls 38397->38428 38725 40add4 38397->38725 38730 445389 38397->38730 38739 40ae51 38397->38739 38398 4456eb 38404 4456fd memset memset memset memset 38398->38404 38405 4457ea 38398->38405 38406 445389 259 API calls 38399->38406 38833 40aebe 38400->38833 38860 445093 23 API calls 38401->38860 38753 409c70 wcscpy wcsrchr 38404->38753 38756 413d29 38405->38756 38411 445c47 38406->38411 38412 445e33 38408->38412 38409 445e7e 38414 445f67 38409->38414 38417 40b2cc 27 API calls 38411->38417 38418 409d1f 6 API calls 38412->38418 38423 40b2cc 27 API calls 38414->38423 38419 40b2cc 27 API calls 38415->38419 38421 445c53 38417->38421 38422 445e47 38418->38422 38419->38397 38420 409c70 2 API calls 38424 44577e 38420->38424 38425 409d1f 6 API calls 38421->38425 38859 409b98 GetFileAttributesW 38422->38859 38427 445f73 38423->38427 38429 409c70 2 API calls 38424->38429 38430 445c67 38425->38430 38432 409d1f 6 API calls 38427->38432 38428->38397 38433 44578d 38429->38433 38434 445389 259 API calls 38430->38434 38431 445e56 38431->38401 38437 445e83 memset 38431->38437 38435 445f87 38432->38435 38433->38405 38441 40b2cc 27 API calls 38433->38441 38434->38297 38863 409b98 GetFileAttributesW 38435->38863 38440 40b2cc 27 API calls 38437->38440 38439->38313 38439->38385 38442 445eab 38440->38442 38443 4457a8 38441->38443 38444 409d1f 6 API calls 38442->38444 38445 409d1f 6 API calls 38443->38445 38446 445ebf 38444->38446 38447 4457b8 38445->38447 38448 40ae18 9 API calls 38446->38448 38755 409b98 GetFileAttributesW 38447->38755 38458 445ef5 38448->38458 38450 4457c7 38450->38405 38452 4087b3 338 API calls 38450->38452 38451 40ae51 9 API calls 38451->38458 38452->38405 38453 445f5c 38455 40aebe FindClose 38453->38455 38454 40add4 2 API calls 38454->38458 38455->38414 38456 40b2cc 27 API calls 38456->38458 38457 409d1f 6 API calls 38457->38458 38458->38451 38458->38453 38458->38454 38458->38456 38458->38457 38460 445f3a 38458->38460 38861 409b98 GetFileAttributesW 38458->38861 38862 445093 23 API calls 38460->38862 38462->38256 38463->38262 38464->38256 38465->38254 38467 40c775 38466->38467 38864 40b1ab free free 38467->38864 38469 40c788 38865 40b1ab free free 38469->38865 38471 40c790 38866 40b1ab free free 38471->38866 38473 40c798 38474 40aa04 free 38473->38474 38475 40c7a0 38474->38475 38867 40c274 memset 38475->38867 38480 40a8ab 9 API calls 38481 40c7c3 38480->38481 38482 40a8ab 9 API calls 38481->38482 38483 40c7d0 38482->38483 38896 40c3c3 38483->38896 38487 40c877 38496 40bdb0 38487->38496 38488 40c86c 38938 4053fe 39 API calls 38488->38938 38494 40c7e5 38494->38487 38494->38488 38495 40c634 50 API calls 38494->38495 38921 40a706 38494->38921 38495->38494 39201 404363 38496->39201 38499 40bf5d 39221 40440c 38499->39221 38500 40bdee 38500->38499 38504 40b2cc 27 API calls 38500->38504 38501 40bddf CredEnumerateW 38501->38500 38505 40be02 wcslen 38504->38505 38505->38499 38510 40be1e 38505->38510 38506 40be26 wcsncmp 38506->38510 38509 40be7d memset 38509->38510 38511 40bea7 memcpy 38509->38511 38510->38499 38510->38506 38510->38509 38510->38511 38512 40bf11 wcschr 38510->38512 38513 40b2cc 27 API calls 38510->38513 38515 40bf43 LocalFree 38510->38515 39224 40bd5d 28 API calls 38510->39224 39225 404423 38510->39225 38511->38510 38511->38512 38512->38510 38514 40bef6 _wcsnicmp 38513->38514 38514->38510 38514->38512 38515->38510 38516 4135f7 39240 4135e0 38516->39240 38519 40b2cc 27 API calls 38520 41360d 38519->38520 38521 40a804 8 API calls 38520->38521 38522 413613 38521->38522 38523 41361b 38522->38523 38524 41363e 38522->38524 38525 40b273 27 API calls 38523->38525 38526 4135e0 FreeLibrary 38524->38526 38527 413625 GetProcAddress 38525->38527 38528 413643 38526->38528 38527->38524 38529 413648 38527->38529 38528->38288 38530 413658 38529->38530 38531 4135e0 FreeLibrary 38529->38531 38530->38288 38532 413666 38531->38532 38532->38288 39243 4449b9 38533->39243 38536 444c1f 38536->38269 38537 4449b9 42 API calls 38539 444b4b 38537->38539 38538 444c15 38541 4449b9 42 API calls 38538->38541 38539->38538 39264 444972 GetVersionExW 38539->39264 38541->38536 38542 444b99 memcmp 38547 444b8c 38542->38547 38543 444c0b 38547->38542 38547->38543 39265 444aa5 42 API calls 38547->39265 39266 40a7a0 GetVersionExW 38547->39266 39267 444a85 42 API calls 38547->39267 38550 40399d 38549->38550 39269 403a16 38550->39269 38552 403a09 39283 40b1ab free free 38552->39283 38554 403a12 wcsrchr 38554->38278 38555 4039a3 38555->38552 38558 4039f4 38555->38558 39280 40a02c CreateFileW 38555->39280 38558->38552 38559 4099c6 2 API calls 38558->38559 38559->38552 38561 414c2e 17 API calls 38560->38561 38562 404048 38561->38562 38563 414c2e 17 API calls 38562->38563 38564 404056 38563->38564 38565 409d1f 6 API calls 38564->38565 38566 404073 38565->38566 38567 409d1f 6 API calls 38566->38567 38568 40408e 38567->38568 38569 409d1f 6 API calls 38568->38569 38570 4040a6 38569->38570 38571 403af5 20 API calls 38570->38571 38572 4040ba 38571->38572 38573 403af5 20 API calls 38572->38573 38574 4040cb 38573->38574 39310 40414f memset 38574->39310 38576 404140 39324 40b1ab free free 38576->39324 38577 4040ec memset 38581 4040e0 38577->38581 38579 404148 38579->38343 38580 4099c6 2 API calls 38580->38581 38581->38576 38581->38577 38581->38580 38582 40a8ab 9 API calls 38581->38582 38582->38581 39337 40a6e6 WideCharToMultiByte 38583->39337 38585 4087ed 39338 4095d9 memset 38585->39338 38588 408809 memset memset memset memset memset 38589 40b2cc 27 API calls 38588->38589 38590 4088a1 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 4088b1 38591->38592 38593 40b2cc 27 API calls 38592->38593 38594 4088c0 38593->38594 38595 409d1f 6 API calls 38594->38595 38596 4088d0 38595->38596 38597 40b2cc 27 API calls 38596->38597 38598 4088df 38597->38598 38615 408953 38615->38343 38635 40b633 free 38634->38635 38636 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38635->38636 38637 413f00 Process32NextW 38636->38637 38638 413da5 OpenProcess 38637->38638 38639 413f17 CloseHandle 38637->38639 38640 413eb0 38638->38640 38641 413df3 memset 38638->38641 38639->38380 38640->38637 38643 413ebf free 38640->38643 38644 4099f4 3 API calls 38640->38644 39781 413f27 38641->39781 38643->38640 38644->38640 38645 413e1f 38646 413e37 GetModuleHandleW 38645->38646 39786 413959 38645->39786 39802 413ca4 38645->39802 38646->38645 38648 413e46 GetProcAddress 38646->38648 38648->38645 38650 413ea2 CloseHandle 38650->38640 38652 414c2e 17 API calls 38651->38652 38653 403eb7 38652->38653 38654 414c2e 17 API calls 38653->38654 38655 403ec5 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 403ee2 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 403efd 38658->38659 38660 409d1f 6 API calls 38659->38660 38661 403f15 38660->38661 38662 403af5 20 API calls 38661->38662 38663 403f29 38662->38663 38664 403af5 20 API calls 38663->38664 38665 403f3a 38664->38665 38666 40414f 33 API calls 38665->38666 38672 403f4f 38666->38672 38667 403faf 39816 40b1ab free free 38667->39816 38669 403f5b memset 38669->38672 38670 403fb7 38670->38316 38671 4099c6 2 API calls 38671->38672 38672->38667 38672->38669 38672->38671 38673 40a8ab 9 API calls 38672->38673 38673->38672 38675 414c2e 17 API calls 38674->38675 38676 403d26 38675->38676 38677 414c2e 17 API calls 38676->38677 38678 403d34 38677->38678 38679 409d1f 6 API calls 38678->38679 38680 403d51 38679->38680 38681 409d1f 6 API calls 38680->38681 38682 403d6c 38681->38682 38683 409d1f 6 API calls 38682->38683 38684 403d84 38683->38684 38685 403af5 20 API calls 38684->38685 38686 403d98 38685->38686 38687 403af5 20 API calls 38686->38687 38688 403da9 38687->38688 38689 40414f 33 API calls 38688->38689 38690 403dbe 38689->38690 38691 403e1e 38690->38691 38693 403dca memset 38690->38693 38695 4099c6 2 API calls 38690->38695 38696 40a8ab 9 API calls 38690->38696 39817 40b1ab free free 38691->39817 38693->38690 38694 403e26 38694->38331 38695->38690 38696->38690 38698 414b81 9 API calls 38697->38698 38699 414c40 38698->38699 38700 414c73 memset 38699->38700 39818 409cea 38699->39818 38702 414c94 38700->38702 39821 414592 RegOpenKeyExW 38702->39821 38705 414c64 SHGetSpecialFolderPathW 38707 414d0b 38705->38707 38706 414cc1 38708 414cf4 wcscpy 38706->38708 39822 414bb0 wcscpy 38706->39822 38707->38323 38708->38707 38710 414cd2 39823 4145ac RegQueryValueExW 38710->39823 38712 414ce9 RegCloseKey 38712->38708 38714 409d62 38713->38714 38715 409d43 wcscpy 38713->38715 38714->38354 38716 409719 2 API calls 38715->38716 38717 409d51 wcscat 38716->38717 38717->38714 38719 40aebe FindClose 38718->38719 38720 40ae21 38719->38720 38721 4099c6 2 API calls 38720->38721 38722 40ae35 38721->38722 38723 409d1f 6 API calls 38722->38723 38724 40ae49 38723->38724 38724->38397 38726 40ade0 38725->38726 38729 40ae0f 38725->38729 38727 40ade7 wcscmp 38726->38727 38726->38729 38728 40adfe wcscmp 38727->38728 38727->38729 38728->38729 38729->38397 38731 40ae18 9 API calls 38730->38731 38732 4453c4 38731->38732 38733 40ae51 9 API calls 38732->38733 38734 4453f3 38732->38734 38735 40add4 2 API calls 38732->38735 38738 445403 254 API calls 38732->38738 38733->38732 38736 40aebe FindClose 38734->38736 38735->38732 38737 4453fe 38736->38737 38737->38397 38738->38732 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38397 38746->38745 38747->38308 38748->38287 38749->38383 38750->38364 38751->38364 38752->38398 38754 409c89 38753->38754 38754->38420 38755->38450 38757 413d39 38756->38757 38758 413d2f FreeLibrary 38756->38758 38759 40b633 free 38757->38759 38758->38757 38760 413d42 38759->38760 38761 40b633 free 38760->38761 38762 413d4a 38761->38762 38762->38277 38763->38280 38764->38333 38765->38347 38767 44db70 38766->38767 38768 40b6fc memset 38767->38768 38769 409c70 2 API calls 38768->38769 38770 40b732 wcsrchr 38769->38770 38771 40b743 38770->38771 38772 40b746 memset 38770->38772 38771->38772 38773 40b2cc 27 API calls 38772->38773 38774 40b76f 38773->38774 38775 409d1f 6 API calls 38774->38775 38776 40b783 38775->38776 39824 409b98 GetFileAttributesW 38776->39824 38778 40b792 38779 40b7c2 38778->38779 38780 409c70 2 API calls 38778->38780 39825 40bb98 38779->39825 38782 40b7a5 38780->38782 38784 40b2cc 27 API calls 38782->38784 38788 40b7b2 38784->38788 38785 40b837 CloseHandle 38787 40b83e memset 38785->38787 38786 40b817 38789 409a45 3 API calls 38786->38789 39858 40a6e6 WideCharToMultiByte 38787->39858 38791 409d1f 6 API calls 38788->38791 38792 40b827 CopyFileW 38789->38792 38791->38779 38792->38787 38793 40b866 38794 444432 121 API calls 38793->38794 38795 40b879 38794->38795 38796 40bad5 38795->38796 38797 40b273 27 API calls 38795->38797 38798 40baeb 38796->38798 38799 40bade DeleteFileW 38796->38799 38800 40b89a 38797->38800 38801 40b04b ??3@YAXPAX 38798->38801 38799->38798 38802 438552 134 API calls 38800->38802 38803 40baf3 38801->38803 38804 40b8a4 38802->38804 38803->38357 38805 40bacd 38804->38805 38807 4251c4 137 API calls 38804->38807 38806 443d90 111 API calls 38805->38806 38806->38796 38830 40b8b8 38807->38830 38808 40bac6 39868 424f26 123 API calls 38808->39868 38809 40b8bd memset 39859 425413 17 API calls 38809->39859 38812 425413 17 API calls 38812->38830 38815 40a71b MultiByteToWideChar 38815->38830 38816 40a734 MultiByteToWideChar 38816->38830 38819 40b9b5 memcmp 38819->38830 38820 4099c6 2 API calls 38820->38830 38821 404423 38 API calls 38821->38830 38824 40bb3e memset memcpy 39869 40a734 MultiByteToWideChar 38824->39869 38825 4251c4 137 API calls 38825->38830 38827 40bb88 LocalFree 38827->38830 38830->38808 38830->38809 38830->38812 38830->38815 38830->38816 38830->38819 38830->38820 38830->38821 38830->38824 38830->38825 38831 40ba5f memcmp 38830->38831 39860 4253ef 16 API calls 38830->39860 39861 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38830->39861 39862 4253af 17 API calls 38830->39862 39863 4253cf 17 API calls 38830->39863 39864 447280 memset 38830->39864 39865 447960 memset memcpy memcpy memcpy 38830->39865 39866 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38830->39866 39867 447920 memcpy memcpy memcpy 38830->39867 38831->38830 38832->38359 38834 40aed1 38833->38834 38835 40aec7 FindClose 38833->38835 38834->38291 38835->38834 38837 4099d7 38836->38837 38838 4099da memcpy 38836->38838 38837->38838 38838->38342 38840 40b2cc 27 API calls 38839->38840 38841 44543f 38840->38841 38842 409d1f 6 API calls 38841->38842 38843 44544f 38842->38843 39957 409b98 GetFileAttributesW 38843->39957 38845 44545e 38846 445476 38845->38846 38847 40b6ef 253 API calls 38845->38847 38848 40b2cc 27 API calls 38846->38848 38847->38846 38849 445482 38848->38849 38850 409d1f 6 API calls 38849->38850 38851 445492 38850->38851 39958 409b98 GetFileAttributesW 38851->39958 38853 4454a1 38854 4454b9 38853->38854 38855 40b6ef 253 API calls 38853->38855 38854->38372 38855->38854 38856->38371 38857->38388 38858->38394 38859->38431 38860->38409 38861->38458 38862->38458 38863->38439 38864->38469 38865->38471 38866->38473 38868 414c2e 17 API calls 38867->38868 38869 40c2ae 38868->38869 38939 40c1d3 38869->38939 38874 40c3be 38891 40a8ab 38874->38891 38875 40afcf 2 API calls 38876 40c2fd FindFirstUrlCacheEntryW 38875->38876 38877 40c3b6 38876->38877 38878 40c31e wcschr 38876->38878 38879 40b04b ??3@YAXPAX 38877->38879 38880 40c331 38878->38880 38881 40c35e FindNextUrlCacheEntryW 38878->38881 38879->38874 38883 40a8ab 9 API calls 38880->38883 38881->38878 38882 40c373 GetLastError 38881->38882 38884 40c3ad FindCloseUrlCache 38882->38884 38885 40c37e 38882->38885 38886 40c33e wcschr 38883->38886 38884->38877 38887 40afcf 2 API calls 38885->38887 38886->38881 38888 40c34f 38886->38888 38889 40c391 FindNextUrlCacheEntryW 38887->38889 38890 40a8ab 9 API calls 38888->38890 38889->38878 38889->38884 38890->38881 39128 40a97a 38891->39128 38894 40a8cc 38894->38480 38895 40a8d0 7 API calls 38895->38894 39133 40b1ab free free 38896->39133 38898 40c3dd 38899 40b2cc 27 API calls 38898->38899 38900 40c3e7 38899->38900 39134 414592 RegOpenKeyExW 38900->39134 38902 40c3f4 38903 40c50e 38902->38903 38904 40c3ff 38902->38904 38918 405337 38903->38918 38905 40a9ce 4 API calls 38904->38905 38906 40c418 memset 38905->38906 39135 40aa1d 38906->39135 38909 40c471 38911 40c47a _wcsupr 38909->38911 38910 40c505 RegCloseKey 38910->38903 38912 40a8d0 7 API calls 38911->38912 38913 40c498 38912->38913 38914 40a8d0 7 API calls 38913->38914 38915 40c4ac memset 38914->38915 38916 40aa1d 38915->38916 38917 40c4e4 RegEnumValueW 38916->38917 38917->38910 38917->38911 39137 405220 38918->39137 38922 4099c6 2 API calls 38921->38922 38923 40a714 _wcslwr 38922->38923 38924 40c634 38923->38924 39194 405361 38924->39194 38927 40c65c wcslen 39197 4053b6 39 API calls 38927->39197 38928 40c71d wcslen 38928->38494 38930 40c677 38931 40c713 38930->38931 39198 40538b 39 API calls 38930->39198 39200 4053df 39 API calls 38931->39200 38934 40c6a5 38934->38931 38935 40c6a9 memset 38934->38935 38936 40c6d3 38935->38936 39199 40c589 44 API calls 38936->39199 38938->38487 38940 40ae18 9 API calls 38939->38940 38946 40c210 38940->38946 38941 40ae51 9 API calls 38941->38946 38942 40c264 38943 40aebe FindClose 38942->38943 38945 40c26f 38943->38945 38944 40add4 2 API calls 38944->38946 38951 40e5ed memset memset 38945->38951 38946->38941 38946->38942 38946->38944 38947 40c231 _wcsicmp 38946->38947 38948 40c1d3 35 API calls 38946->38948 38947->38946 38949 40c248 38947->38949 38948->38946 38964 40c084 22 API calls 38949->38964 38952 414c2e 17 API calls 38951->38952 38953 40e63f 38952->38953 38954 409d1f 6 API calls 38953->38954 38955 40e658 38954->38955 38965 409b98 GetFileAttributesW 38955->38965 38957 40e667 38958 40e680 38957->38958 38959 409d1f 6 API calls 38957->38959 38966 409b98 GetFileAttributesW 38958->38966 38959->38958 38961 40e68f 38962 40c2d8 38961->38962 38967 40e4b2 38961->38967 38962->38874 38962->38875 38964->38946 38965->38957 38966->38961 38988 40e01e 38967->38988 38969 40e593 38970 40e5b0 38969->38970 38971 40e59c DeleteFileW 38969->38971 38972 40b04b ??3@YAXPAX 38970->38972 38971->38970 38974 40e5bb 38972->38974 38973 40e521 38973->38969 39011 40e175 38973->39011 38976 40e5c4 CloseHandle 38974->38976 38977 40e5cc 38974->38977 38976->38977 38979 40b633 free 38977->38979 38978 40e573 38980 40e584 38978->38980 38981 40e57c CloseHandle 38978->38981 38982 40e5db 38979->38982 39054 40b1ab free free 38980->39054 38981->38980 38985 40b633 free 38982->38985 38984 40e540 38984->38978 39031 40e2ab 38984->39031 38986 40e5e3 38985->38986 38986->38962 39055 406214 38988->39055 38991 40e16b 38991->38973 38994 40afcf 2 API calls 38995 40e08d OpenProcess 38994->38995 38996 40e0a4 GetCurrentProcess DuplicateHandle 38995->38996 39000 40e152 38995->39000 38997 40e0d0 GetFileSize 38996->38997 38998 40e14a CloseHandle 38996->38998 39091 409a45 GetTempPathW 38997->39091 38998->39000 38999 40e160 39003 40b04b ??3@YAXPAX 38999->39003 39000->38999 39002 406214 22 API calls 39000->39002 39002->38999 39003->38991 39004 40e0ea 39094 4096dc CreateFileW 39004->39094 39006 40e0f1 CreateFileMappingW 39007 40e140 CloseHandle CloseHandle 39006->39007 39008 40e10b MapViewOfFile 39006->39008 39007->38998 39009 40e13b CloseHandle 39008->39009 39010 40e11f WriteFile UnmapViewOfFile 39008->39010 39009->39007 39010->39009 39012 40e18c 39011->39012 39095 406b90 39012->39095 39015 40e1a7 memset 39021 40e1e8 39015->39021 39016 40e299 39105 4069a3 39016->39105 39022 40e283 39021->39022 39023 40dd50 _wcsicmp 39021->39023 39029 40e244 _snwprintf 39021->39029 39112 406e8f 13 API calls 39021->39112 39113 40742e 8 API calls 39021->39113 39114 40aae3 wcslen wcslen _memicmp 39021->39114 39115 406b53 SetFilePointerEx ReadFile 39021->39115 39024 40e291 39022->39024 39025 40e288 free 39022->39025 39023->39021 39026 40aa04 free 39024->39026 39025->39024 39026->39016 39030 40a8d0 7 API calls 39029->39030 39030->39021 39032 40e2c2 39031->39032 39033 406b90 11 API calls 39032->39033 39039 40e2d3 39033->39039 39034 40e4a0 39035 4069a3 2 API calls 39034->39035 39037 40e4ab 39035->39037 39037->38984 39039->39034 39040 40e489 39039->39040 39043 40dd50 _wcsicmp 39039->39043 39049 40e3e0 memcpy 39039->39049 39050 40e3fb memcpy 39039->39050 39051 40e3b3 wcschr 39039->39051 39052 40e416 memcpy 39039->39052 39053 40e431 memcpy 39039->39053 39116 406e8f 13 API calls 39039->39116 39117 40dd50 _wcsicmp 39039->39117 39126 40742e 8 API calls 39039->39126 39127 406b53 SetFilePointerEx ReadFile 39039->39127 39041 40aa04 free 39040->39041 39042 40e491 39041->39042 39042->39034 39044 40e497 free 39042->39044 39043->39039 39044->39034 39046 40e376 memset 39118 40aa29 39046->39118 39049->39039 39050->39039 39051->39039 39052->39039 39053->39039 39054->38969 39056 406294 CloseHandle 39055->39056 39057 406224 39056->39057 39058 4096c3 CreateFileW 39057->39058 39059 40622d 39058->39059 39060 406281 GetLastError 39059->39060 39061 40a2ef ReadFile 39059->39061 39065 40625a 39060->39065 39062 406244 39061->39062 39062->39060 39063 40624b 39062->39063 39064 406777 19 API calls 39063->39064 39063->39065 39064->39065 39065->38991 39066 40dd85 memset 39065->39066 39067 409bca GetModuleFileNameW 39066->39067 39068 40ddbe CreateFileW 39067->39068 39071 40ddf1 39068->39071 39069 40afcf ??2@YAPAXI ??3@YAXPAX 39069->39071 39070 41352f 9 API calls 39070->39071 39071->39069 39071->39070 39072 40de0b NtQuerySystemInformation 39071->39072 39073 40de3b CloseHandle GetCurrentProcessId 39071->39073 39072->39071 39074 40de54 39073->39074 39075 413d4c 46 API calls 39074->39075 39083 40de88 39075->39083 39076 40e00c 39077 413d29 free FreeLibrary 39076->39077 39078 40e014 39077->39078 39078->38991 39078->38994 39079 40dea9 _wcsicmp 39080 40dee7 OpenProcess 39079->39080 39081 40debd _wcsicmp 39079->39081 39080->39083 39081->39080 39082 40ded0 _wcsicmp 39081->39082 39082->39080 39082->39083 39083->39076 39083->39079 39084 40dfef CloseHandle 39083->39084 39085 40df23 GetCurrentProcess DuplicateHandle 39083->39085 39088 40df8f CloseHandle 39083->39088 39089 40df78 39083->39089 39084->39083 39085->39083 39086 40df4c memset 39085->39086 39087 41352f 9 API calls 39086->39087 39087->39083 39088->39089 39089->39084 39089->39088 39090 40dfae _wcsicmp 39089->39090 39090->39083 39090->39089 39092 409a74 GetTempFileNameW 39091->39092 39093 409a66 GetWindowsDirectoryW 39091->39093 39092->39004 39093->39092 39094->39006 39096 406bd5 39095->39096 39097 406bad 39095->39097 39099 4066bf free malloc memcpy free free 39096->39099 39104 406c0f 39096->39104 39097->39096 39098 406bba _wcsicmp 39097->39098 39098->39096 39098->39097 39100 406be5 39099->39100 39101 40afcf ??2@YAPAXI ??3@YAXPAX 39100->39101 39100->39104 39102 406bff 39101->39102 39103 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39102->39103 39103->39104 39104->39015 39104->39016 39106 4069c4 ??3@YAXPAX 39105->39106 39107 4069af 39106->39107 39108 40b633 free 39107->39108 39109 4069ba 39108->39109 39110 40b04b ??3@YAXPAX 39109->39110 39111 4069c2 39110->39111 39111->38984 39112->39021 39113->39021 39114->39021 39115->39021 39116->39039 39117->39046 39119 40aa33 39118->39119 39120 40aa63 39118->39120 39121 40aa44 39119->39121 39122 40aa38 wcslen 39119->39122 39120->39039 39123 40a9ce malloc memcpy free free 39121->39123 39122->39121 39124 40aa4d 39123->39124 39124->39120 39125 40aa51 memcpy 39124->39125 39125->39120 39126->39039 39127->39039 39129 40a980 39128->39129 39130 40a8bb 39129->39130 39131 40a995 _wcsicmp 39129->39131 39132 40a99c wcscmp 39129->39132 39130->38894 39130->38895 39131->39129 39132->39129 39133->38898 39134->38902 39136 40aa23 RegEnumValueW 39135->39136 39136->38909 39136->38910 39138 405335 39137->39138 39139 40522a 39137->39139 39138->38494 39140 40b2cc 27 API calls 39139->39140 39141 405234 39140->39141 39142 40a804 8 API calls 39141->39142 39143 40523a 39142->39143 39182 40b273 39143->39182 39145 405248 _mbscpy _mbscat GetProcAddress 39146 40b273 27 API calls 39145->39146 39147 405279 39146->39147 39185 405211 GetProcAddress 39147->39185 39149 405282 39150 40b273 27 API calls 39149->39150 39151 40528f 39150->39151 39186 405211 GetProcAddress 39151->39186 39153 405298 39154 40b273 27 API calls 39153->39154 39155 4052a5 39154->39155 39187 405211 GetProcAddress 39155->39187 39157 4052ae 39158 40b273 27 API calls 39157->39158 39159 4052bb 39158->39159 39188 405211 GetProcAddress 39159->39188 39161 4052c4 39162 40b273 27 API calls 39161->39162 39163 4052d1 39162->39163 39189 405211 GetProcAddress 39163->39189 39165 4052da 39166 40b273 27 API calls 39165->39166 39167 4052e7 39166->39167 39190 405211 GetProcAddress 39167->39190 39169 4052f0 39170 40b273 27 API calls 39169->39170 39183 40b58d 27 API calls 39182->39183 39184 40b18c 39183->39184 39184->39145 39185->39149 39186->39153 39187->39157 39188->39161 39189->39165 39190->39169 39195 405220 39 API calls 39194->39195 39196 405369 39195->39196 39196->38927 39196->38928 39197->38930 39198->38934 39199->38931 39200->38928 39202 40440c FreeLibrary 39201->39202 39203 40436d 39202->39203 39204 40a804 8 API calls 39203->39204 39205 404377 39204->39205 39206 404383 39205->39206 39207 404405 39205->39207 39208 40b273 27 API calls 39206->39208 39207->38499 39207->38500 39207->38501 39209 40438d GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4043a7 GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 4043ba GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 4043ce GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 4043e2 GetProcAddress 39216->39217 39218 4043f1 39217->39218 39219 4043f7 39218->39219 39220 40440c FreeLibrary 39218->39220 39219->39207 39220->39207 39222 404413 FreeLibrary 39221->39222 39223 40441e 39221->39223 39222->39223 39223->38516 39224->38510 39226 40447e 39225->39226 39227 40442e 39225->39227 39228 404485 CryptUnprotectData 39226->39228 39229 40449c 39226->39229 39230 40b2cc 27 API calls 39227->39230 39228->39229 39229->38510 39231 404438 39230->39231 39232 40a804 8 API calls 39231->39232 39233 40443e 39232->39233 39234 404445 39233->39234 39235 404467 39233->39235 39236 40b273 27 API calls 39234->39236 39235->39226 39238 404475 FreeLibrary 39235->39238 39237 40444f GetProcAddress 39236->39237 39237->39235 39239 404460 39237->39239 39238->39226 39239->39235 39241 4135f6 39240->39241 39242 4135eb FreeLibrary 39240->39242 39241->38519 39242->39241 39244 4449c4 39243->39244 39245 444a52 39243->39245 39246 40b2cc 27 API calls 39244->39246 39245->38536 39245->38537 39247 4449cb 39246->39247 39248 40a804 8 API calls 39247->39248 39249 4449d1 39248->39249 39250 40b273 27 API calls 39249->39250 39264->38547 39265->38547 39266->38547 39267->38547 39270 403a29 39269->39270 39284 403bed memset memset 39270->39284 39272 403ae7 39297 40b1ab free free 39272->39297 39274 403a3f memset 39278 403a2f 39274->39278 39275 403aef 39275->38555 39276 40a8d0 7 API calls 39276->39278 39277 409d1f 6 API calls 39277->39278 39278->39272 39278->39274 39278->39276 39278->39277 39279 409b98 GetFileAttributesW 39278->39279 39279->39278 39281 40a051 GetFileTime CloseHandle 39280->39281 39282 4039ca CompareFileTime 39280->39282 39281->39282 39282->38555 39283->38554 39285 414c2e 17 API calls 39284->39285 39286 403c38 39285->39286 39287 409719 2 API calls 39286->39287 39288 403c3f wcscat 39287->39288 39289 414c2e 17 API calls 39288->39289 39290 403c61 39289->39290 39291 409719 2 API calls 39290->39291 39292 403c68 wcscat 39291->39292 39298 403af5 39292->39298 39295 403af5 20 API calls 39296 403c95 39295->39296 39296->39278 39297->39275 39299 403b02 39298->39299 39300 40ae18 9 API calls 39299->39300 39308 403b37 39300->39308 39301 403bdb 39302 40aebe FindClose 39301->39302 39304 403be6 39302->39304 39303 40add4 wcscmp wcscmp 39303->39308 39304->39295 39305 40ae18 9 API calls 39305->39308 39306 40ae51 9 API calls 39306->39308 39307 40aebe FindClose 39307->39308 39308->39301 39308->39303 39308->39305 39308->39306 39308->39307 39309 40a8d0 7 API calls 39308->39309 39309->39308 39311 409d1f 6 API calls 39310->39311 39312 404190 39311->39312 39325 409b98 GetFileAttributesW 39312->39325 39314 40419c 39315 4041a7 6 API calls 39314->39315 39316 40435c 39314->39316 39318 40424f 39315->39318 39316->38581 39318->39316 39319 40425e memset 39318->39319 39321 409d1f 6 API calls 39318->39321 39322 40a8ab 9 API calls 39318->39322 39326 414842 39318->39326 39319->39318 39320 404296 wcscpy 39319->39320 39320->39318 39321->39318 39323 4042b6 memset memset _snwprintf wcscpy 39322->39323 39323->39318 39324->38579 39325->39314 39329 41443e 39326->39329 39328 414866 39328->39318 39330 41444b 39329->39330 39331 414451 39330->39331 39332 4144a3 GetPrivateProfileStringW 39330->39332 39333 414491 39331->39333 39334 414455 wcschr 39331->39334 39332->39328 39336 414495 WritePrivateProfileStringW 39333->39336 39334->39333 39335 414463 _snwprintf 39334->39335 39335->39336 39336->39328 39337->38585 39339 40b2cc 27 API calls 39338->39339 39340 409615 39339->39340 39341 409d1f 6 API calls 39340->39341 39342 409625 39341->39342 39367 409b98 GetFileAttributesW 39342->39367 39344 409634 39345 409648 39344->39345 39368 4091b8 memset 39344->39368 39347 40b2cc 27 API calls 39345->39347 39350 408801 39345->39350 39348 40965d 39347->39348 39349 409d1f 6 API calls 39348->39349 39351 40966d 39349->39351 39350->38588 39350->38615 39420 409b98 GetFileAttributesW 39351->39420 39353 40967c 39353->39350 39354 409681 39353->39354 39421 409529 72 API calls 39354->39421 39356 409690 39356->39350 39367->39344 39422 40a6e6 WideCharToMultiByte 39368->39422 39370 409202 39423 444432 39370->39423 39373 40b273 27 API calls 39374 409236 39373->39374 39469 438552 39374->39469 39400 40951d 39400->39345 39420->39353 39421->39356 39422->39370 39519 4438b5 39423->39519 39425 44444c 39426 409215 39425->39426 39533 415a6d 39425->39533 39426->39373 39426->39400 39428 4442e6 11 API calls 39429 444486 39431 4444b9 memcpy 39429->39431 39468 4444a4 39429->39468 39537 415258 39431->39537 39468->39428 39658 438460 39469->39658 39520 4438d0 39519->39520 39530 4438c9 39519->39530 39607 415378 memcpy memcpy 39520->39607 39530->39425 39534 415a77 39533->39534 39535 415a8d 39534->39535 39536 415a7e memset 39534->39536 39535->39429 39536->39535 39670 41703f 39658->39670 39808 413f4f 39781->39808 39784 413f37 K32GetModuleFileNameExW 39785 413f4a 39784->39785 39785->38645 39787 413969 wcscpy 39786->39787 39788 41396c wcschr 39786->39788 39791 413a3a 39787->39791 39788->39787 39790 41398e 39788->39790 39813 4097f7 wcslen wcslen _memicmp 39790->39813 39791->38645 39793 41399a 39794 4139a4 memset 39793->39794 39795 4139e6 39793->39795 39814 409dd5 GetWindowsDirectoryW wcscpy 39794->39814 39797 413a31 wcscpy 39795->39797 39798 4139ec memset 39795->39798 39797->39791 39815 409dd5 GetWindowsDirectoryW wcscpy 39798->39815 39799 4139c9 wcscpy wcscat 39799->39791 39801 413a11 memcpy wcscat 39801->39791 39803 413cb0 GetModuleHandleW 39802->39803 39804 413cda 39802->39804 39803->39804 39807 413cbf GetProcAddress 39803->39807 39805 413ce3 GetProcessTimes 39804->39805 39806 413cf6 39804->39806 39805->38650 39806->38650 39807->39804 39809 413f2f 39808->39809 39810 413f54 39808->39810 39809->39784 39809->39785 39811 40a804 8 API calls 39810->39811 39812 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39811->39812 39812->39809 39813->39793 39814->39799 39815->39801 39816->38670 39817->38694 39819 409cf9 GetVersionExW 39818->39819 39820 409d0a 39818->39820 39819->39820 39820->38700 39820->38705 39821->38706 39822->38710 39823->38712 39824->38778 39826 40bba5 39825->39826 39870 40cc26 39826->39870 39829 40bd4b 39898 40cc0c 39829->39898 39834 40b2cc 27 API calls 39835 40bbef 39834->39835 39891 40ccf0 39835->39891 39837 40bbf5 39837->39829 39895 40ccb4 39837->39895 39840 40cf04 17 API calls 39841 40bc2e 39840->39841 39842 40bd43 39841->39842 39843 40b2cc 27 API calls 39841->39843 39844 40cc0c 4 API calls 39842->39844 39845 40bc40 39843->39845 39844->39829 39846 40ccf0 _wcsicmp 39845->39846 39847 40bc46 39846->39847 39847->39842 39848 40bc61 memset memset WideCharToMultiByte 39847->39848 39905 40103c strlen 39848->39905 39850 40bcc0 39851 40b273 27 API calls 39850->39851 39852 40bcd0 memcmp 39851->39852 39852->39842 39853 40bce2 39852->39853 39854 404423 38 API calls 39853->39854 39855 40bd10 39854->39855 39855->39842 39856 40bd3a LocalFree 39855->39856 39857 40bd1f memcpy 39855->39857 39856->39842 39857->39856 39858->38793 39859->38830 39860->38830 39861->38830 39862->38830 39863->38830 39864->38830 39865->38830 39866->38830 39867->38830 39868->38805 39869->38827 39906 4096c3 CreateFileW 39870->39906 39872 40cc34 39873 40cc3d GetFileSize 39872->39873 39881 40bbca 39872->39881 39874 40afcf 2 API calls 39873->39874 39875 40cc64 39874->39875 39907 40a2ef ReadFile 39875->39907 39877 40cc71 39908 40ab4a MultiByteToWideChar 39877->39908 39879 40cc95 CloseHandle 39880 40b04b ??3@YAXPAX 39879->39880 39880->39881 39881->39829 39882 40cf04 39881->39882 39883 40b633 free 39882->39883 39884 40cf14 39883->39884 39914 40b1ab free free 39884->39914 39886 40cf1b 39887 40cfef 39886->39887 39890 40bbdd 39886->39890 39915 40cd4b 39886->39915 39889 40cd4b 14 API calls 39887->39889 39889->39890 39890->39829 39890->39834 39892 40ccfd 39891->39892 39894 40cd3f 39891->39894 39893 40cd26 _wcsicmp 39892->39893 39892->39894 39893->39892 39893->39894 39894->39837 39896 40aa29 6 API calls 39895->39896 39897 40bc26 39896->39897 39897->39840 39899 40b633 free 39898->39899 39900 40cc15 39899->39900 39901 40aa04 free 39900->39901 39902 40cc1d 39901->39902 39956 40b1ab free free 39902->39956 39904 40b7d4 memset CreateFileW 39904->38785 39904->38786 39905->39850 39906->39872 39907->39877 39909 40ab93 39908->39909 39910 40ab6b 39908->39910 39909->39879 39911 40a9ce 4 API calls 39910->39911 39912 40ab74 39911->39912 39913 40ab7c MultiByteToWideChar 39912->39913 39913->39909 39914->39886 39916 40cd7b 39915->39916 39917 40aa29 6 API calls 39916->39917 39921 40cd89 39917->39921 39918 40cef5 39919 40aa04 free 39918->39919 39920 40cefd 39919->39920 39920->39886 39921->39918 39922 40aa29 6 API calls 39921->39922 39923 40ce1d 39922->39923 39924 40aa29 6 API calls 39923->39924 39925 40ce3e 39924->39925 39926 40ce6a 39925->39926 39949 40abb7 wcslen memmove 39925->39949 39927 40ce9f 39926->39927 39952 40abb7 wcslen memmove 39926->39952 39930 40a8d0 7 API calls 39927->39930 39933 40ceb5 39930->39933 39931 40ce56 39950 40aa71 wcslen 39931->39950 39932 40ce8b 39953 40aa71 wcslen 39932->39953 39937 40a8d0 7 API calls 39933->39937 39936 40ce5e 39951 40abb7 wcslen memmove 39936->39951 39940 40cecb 39937->39940 39938 40ce93 39954 40abb7 wcslen memmove 39938->39954 39955 40d00b malloc memcpy free free 39940->39955 39943 40cedd 39944 40aa04 free 39943->39944 39945 40cee5 39944->39945 39946 40aa04 free 39945->39946 39947 40ceed 39946->39947 39948 40aa04 free 39947->39948 39948->39918 39949->39931 39950->39936 39951->39926 39952->39932 39953->39938 39954->39927 39955->39943 39956->39904 39957->38845 39958->38853 39959 4415ea 39967 4304b2 39959->39967 39961 4415fe 39962 4418e2 39961->39962 39964 442bd4 39961->39964 39965 4418ea 39961->39965 39962->39965 40014 4414a9 12 API calls 39962->40014 39964->39965 40015 441409 memset 39964->40015 40016 43041c 12 API calls 39967->40016 39969 4304cd 39974 430557 39969->39974 40017 43034a 39969->40017 39971 4304f3 39971->39974 40021 430468 11 API calls 39971->40021 39973 430506 39973->39974 39975 43057b 39973->39975 40022 43817e 39973->40022 39974->39961 39976 415a91 memset 39975->39976 39978 430584 39976->39978 39978->39974 40027 4397fd memset 39978->40027 39980 4305e4 39980->39974 40028 4328e4 12 API calls 39980->40028 39982 43052d 39982->39974 39982->39975 39985 430542 39982->39985 39984 4305fa 39986 430609 39984->39986 40029 423383 11 API calls 39984->40029 39985->39974 40026 4169a7 11 API calls 39985->40026 40030 423330 11 API calls 39986->40030 39989 430634 40031 423399 11 API calls 39989->40031 39991 430648 40032 4233ae 11 API calls 39991->40032 39993 43066b 40033 423330 11 API calls 39993->40033 39995 43067d 40034 4233ae 11 API calls 39995->40034 39997 430695 40035 423330 11 API calls 39997->40035 39999 4306d6 40037 423330 11 API calls 39999->40037 40000 4306a7 40000->39999 40002 4306c0 40000->40002 40036 4233ae 11 API calls 40002->40036 40004 4306d1 40038 430369 17 API calls 40004->40038 40006 4306f3 40039 423330 11 API calls 40006->40039 40008 430704 40040 423330 11 API calls 40008->40040 40010 430710 40041 423330 11 API calls 40010->40041 40012 43071e 40042 423383 11 API calls 40012->40042 40014->39965 40015->39964 40016->39969 40018 43034e 40017->40018 40020 430359 40017->40020 40043 415c23 memcpy 40018->40043 40020->39971 40021->39973 40023 438187 40022->40023 40025 438192 40022->40025 40044 4380f6 40023->40044 40025->39982 40026->39974 40027->39980 40028->39984 40029->39986 40030->39989 40031->39991 40032->39993 40033->39995 40034->39997 40035->40000 40036->40004 40037->40004 40038->40006 40039->40008 40040->40010 40041->40012 40042->39974 40043->40020 40046 43811f 40044->40046 40045 438164 40045->40025 40046->40045 40048 4300e8 3 API calls 40046->40048 40049 437e5e 40046->40049 40048->40046 40072 437d3c 40049->40072 40051 437eb3 40051->40046 40052 437ea9 40052->40051 40058 437f22 40052->40058 40087 41f432 40052->40087 40055 437f06 40137 415c56 11 API calls 40055->40137 40057 437f95 40138 415c56 11 API calls 40057->40138 40059 437f7f 40058->40059 40060 432d4e 3 API calls 40058->40060 40059->40057 40062 43802b 40059->40062 40060->40059 40098 4165ff 40062->40098 40067 43806b 40068 438094 40067->40068 40139 42f50e 138 API calls 40067->40139 40070 437fa3 40068->40070 40071 4300e8 3 API calls 40068->40071 40070->40051 40140 41f638 104 API calls 40070->40140 40071->40070 40073 437d69 40072->40073 40076 437d80 40072->40076 40141 437ccb 11 API calls 40073->40141 40075 437d76 40075->40052 40076->40075 40077 437da3 40076->40077 40079 437d90 40076->40079 40080 438460 134 API calls 40077->40080 40079->40075 40145 437ccb 11 API calls 40079->40145 40083 437dcb 40080->40083 40082 437de8 40144 424f26 123 API calls 40082->40144 40083->40082 40142 444283 13 API calls 40083->40142 40085 437dfc 40143 437ccb 11 API calls 40085->40143 40088 41f54d 40087->40088 40094 41f44f 40087->40094 40089 41f466 40088->40089 40175 41c635 memset memset 40088->40175 40089->40055 40089->40058 40094->40089 40096 41f50b 40094->40096 40146 41f1a5 40094->40146 40171 41c06f memcmp 40094->40171 40172 41f3b1 90 API calls 40094->40172 40173 41f398 86 API calls 40094->40173 40096->40088 40096->40089 40174 41c295 86 API calls 40096->40174 40099 4165a0 11 API calls 40098->40099 40100 41660d 40099->40100 40101 437371 40100->40101 40102 41703f 11 API calls 40101->40102 40103 437399 40102->40103 40104 43739d 40103->40104 40107 4373ac 40103->40107 40261 4446ea 11 API calls 40104->40261 40106 4373a7 40106->40067 40108 416935 16 API calls 40107->40108 40109 4373ca 40108->40109 40111 438460 134 API calls 40109->40111 40115 4251c4 137 API calls 40109->40115 40119 415a91 memset 40109->40119 40122 43758f 40109->40122 40134 437584 40109->40134 40136 437d3c 135 API calls 40109->40136 40262 425433 13 API calls 40109->40262 40263 425413 17 API calls 40109->40263 40264 42533e 16 API calls 40109->40264 40265 42538f 16 API calls 40109->40265 40266 42453e 123 API calls 40109->40266 40110 4375bc 40113 415c7d 16 API calls 40110->40113 40111->40109 40114 4375d2 40113->40114 40114->40106 40116 4442e6 11 API calls 40114->40116 40115->40109 40117 4375e2 40116->40117 40117->40106 40269 444283 13 API calls 40117->40269 40119->40109 40267 42453e 123 API calls 40122->40267 40123 4375f4 40128 437620 40123->40128 40129 43760b 40123->40129 40127 43759f 40130 416935 16 API calls 40127->40130 40132 416935 16 API calls 40128->40132 40270 444283 13 API calls 40129->40270 40130->40134 40132->40106 40134->40110 40268 42453e 123 API calls 40134->40268 40135 437612 memcpy 40135->40106 40136->40109 40137->40051 40138->40070 40139->40068 40140->40051 40141->40075 40142->40085 40143->40082 40144->40075 40145->40075 40176 41bc3b 40146->40176 40149 41edad 86 API calls 40150 41f1cb 40149->40150 40151 41f1f5 memcmp 40150->40151 40152 41f20e 40150->40152 40156 41f282 40150->40156 40151->40152 40153 41f21b memcmp 40152->40153 40152->40156 40154 41f326 40153->40154 40157 41f23d 40153->40157 40155 41ee6b 86 API calls 40154->40155 40154->40156 40155->40156 40156->40094 40157->40154 40158 41f28e memcmp 40157->40158 40200 41c8df 56 API calls 40157->40200 40158->40154 40159 41f2a9 40158->40159 40159->40154 40162 41f308 40159->40162 40163 41f2d8 40159->40163 40161 41f269 40161->40154 40164 41f287 40161->40164 40165 41f27a 40161->40165 40162->40154 40201 4446ce 11 API calls 40162->40201 40166 41ee6b 86 API calls 40163->40166 40164->40158 40167 41ee6b 86 API calls 40165->40167 40168 41f2e0 40166->40168 40167->40156 40170 41b1ca memset 40168->40170 40170->40156 40171->40094 40172->40094 40173->40094 40174->40088 40175->40089 40177 41be0b 40176->40177 40179 41bc54 40176->40179 40182 41bd61 40177->40182 40210 41ae17 34 API calls 40177->40210 40179->40177 40179->40182 40187 41bc8d 40179->40187 40202 41baf0 55 API calls 40179->40202 40181 41be45 40181->40149 40181->40156 40182->40181 40211 41a25f memset 40182->40211 40184 41be04 40209 41aee4 56 API calls 40184->40209 40186 41bd42 40186->40182 40186->40184 40189 41bdd8 memset 40186->40189 40190 41bdba 40186->40190 40187->40182 40187->40186 40188 41bd18 40187->40188 40203 4151e3 40187->40203 40188->40182 40188->40186 40207 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40188->40207 40191 41bde7 memcmp 40189->40191 40199 4175ed 6 API calls 40190->40199 40191->40184 40193 41bdfd 40191->40193 40192 41bdcc 40192->40182 40192->40191 40208 41a1b0 memset 40193->40208 40199->40192 40200->40161 40201->40154 40202->40187 40212 41837f 40203->40212 40206 444706 11 API calls 40206->40188 40207->40186 40208->40184 40209->40177 40210->40182 40211->40181 40213 4183c1 40212->40213 40214 4183ca 40212->40214 40259 418197 25 API calls 40213->40259 40232 4151f9 40214->40232 40233 418160 40214->40233 40217 4183e5 40217->40232 40242 41739b 40217->40242 40220 418444 CreateFileW 40222 418477 40220->40222 40221 41845f CreateFileA 40221->40222 40223 4184c2 memset 40222->40223 40224 41847e GetLastError free 40222->40224 40245 418758 40223->40245 40225 4184b5 40224->40225 40226 418497 40224->40226 40260 444706 11 API calls 40225->40260 40229 41837f 49 API calls 40226->40229 40229->40232 40232->40188 40232->40206 40234 41739b GetVersionExW 40233->40234 40235 418165 40234->40235 40237 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 40235->40237 40238 418178 40237->40238 40239 41817f 40238->40239 40240 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 40238->40240 40239->40217 40241 418188 free 40240->40241 40241->40217 40243 4173d6 40242->40243 40244 4173ad GetVersionExW 40242->40244 40243->40220 40243->40221 40244->40243 40246 418680 43 API calls 40245->40246 40247 418782 40246->40247 40248 418506 free 40247->40248 40249 418160 11 API calls 40247->40249 40248->40232 40250 418799 40249->40250 40250->40248 40251 41739b GetVersionExW 40250->40251 40252 4187a7 40251->40252 40253 4187da 40252->40253 40254 4187ad GetDiskFreeSpaceW 40252->40254 40256 4187ec GetDiskFreeSpaceA 40253->40256 40258 4187e8 40253->40258 40257 418800 free 40254->40257 40256->40257 40257->40248 40258->40256 40259->40214 40260->40232 40261->40106 40262->40109 40263->40109 40264->40109 40265->40109 40266->40109 40267->40127 40268->40110 40269->40123 40270->40135 40271 4147f3 40274 414561 40271->40274 40273 414813 40275 41456d 40274->40275 40276 41457f GetPrivateProfileIntW 40274->40276 40279 4143f1 memset _itow WritePrivateProfileStringW 40275->40279 40276->40273 40278 41457a 40278->40273 40279->40278 40280 44def7 40281 44df07 40280->40281 40282 44df00 ??3@YAXPAX 40280->40282 40283 44df17 40281->40283 40284 44df10 ??3@YAXPAX 40281->40284 40282->40281 40285 44df27 40283->40285 40286 44df20 ??3@YAXPAX 40283->40286 40284->40283 40287 44df37 40285->40287 40288 44df30 ??3@YAXPAX 40285->40288 40286->40285 40288->40287 40289 4148b6 FindResourceW 40290 4148cf SizeofResource 40289->40290 40293 4148f9 40289->40293 40291 4148e0 LoadResource 40290->40291 40290->40293 40292 4148ee LockResource 40291->40292 40291->40293 40292->40293 40294 441b3f 40304 43a9f6 40294->40304 40296 441b61 40477 4386af memset 40296->40477 40298 44189a 40299 442bd4 40298->40299 40300 4418e2 40298->40300 40301 4418ea 40299->40301 40479 441409 memset 40299->40479 40300->40301 40478 4414a9 12 API calls 40300->40478 40305 43aa20 40304->40305 40306 43aadf 40304->40306 40305->40306 40307 43aa34 memset 40305->40307 40306->40296 40308 43aa56 40307->40308 40309 43aa4d 40307->40309 40480 43a6e7 40308->40480 40488 42c02e memset 40309->40488 40314 43aad3 40490 4169a7 11 API calls 40314->40490 40315 43aaae 40315->40306 40315->40314 40330 43aae5 40315->40330 40317 43ac18 40319 43ac47 40317->40319 40492 42bbd5 memcpy memcpy memcpy memset memcpy 40317->40492 40320 43aca8 40319->40320 40493 438eed 16 API calls 40319->40493 40324 43acd5 40320->40324 40495 4233ae 11 API calls 40320->40495 40323 43ac87 40494 4233c5 16 API calls 40323->40494 40496 423426 11 API calls 40324->40496 40328 43ace1 40497 439811 163 API calls 40328->40497 40329 43a9f6 161 API calls 40329->40330 40330->40306 40330->40317 40330->40329 40491 439bbb 22 API calls 40330->40491 40332 43acfd 40338 43ad2c 40332->40338 40498 438eed 16 API calls 40332->40498 40334 43ad19 40499 4233c5 16 API calls 40334->40499 40336 43ad58 40500 44081d 163 API calls 40336->40500 40338->40336 40340 43add9 40338->40340 40340->40340 40504 423426 11 API calls 40340->40504 40341 43ae3a memset 40342 43ae73 40341->40342 40505 42e1c0 147 API calls 40342->40505 40343 43adab 40502 438c4e 163 API calls 40343->40502 40345 43ad6c 40345->40306 40345->40343 40501 42370b memset memcpy memset 40345->40501 40347 43ae96 40506 42e1c0 147 API calls 40347->40506 40349 43adcc 40503 440f84 12 API calls 40349->40503 40352 43aea8 40353 43aec1 40352->40353 40507 42e199 147 API calls 40352->40507 40355 43af00 40353->40355 40508 42e1c0 147 API calls 40353->40508 40355->40306 40358 43af1a 40355->40358 40359 43b3d9 40355->40359 40509 438eed 16 API calls 40358->40509 40364 43b3f6 40359->40364 40371 43b4c8 40359->40371 40361 43b60f 40361->40306 40568 4393a5 17 API calls 40361->40568 40362 43af2f 40510 4233c5 16 API calls 40362->40510 40550 432878 12 API calls 40364->40550 40366 43af51 40511 423426 11 API calls 40366->40511 40369 43af7d 40512 423426 11 API calls 40369->40512 40370 43b4f2 40557 43a76c 21 API calls 40370->40557 40371->40370 40556 42bbd5 memcpy memcpy memcpy memset memcpy 40371->40556 40375 43b529 40558 44081d 163 API calls 40375->40558 40376 43b428 40404 43b462 40376->40404 40551 432b60 16 API calls 40376->40551 40377 43af94 40513 423330 11 API calls 40377->40513 40381 43b47e 40384 43b497 40381->40384 40553 42374a memcpy memset memcpy memcpy memcpy 40381->40553 40382 43b544 40392 43b55c 40382->40392 40559 42c02e memset 40382->40559 40383 43afca 40514 423330 11 API calls 40383->40514 40554 4233ae 11 API calls 40384->40554 40389 43afdb 40515 4233ae 11 API calls 40389->40515 40391 43b4b1 40555 423399 11 API calls 40391->40555 40560 43a87a 163 API calls 40392->40560 40394 43b56c 40397 43b58a 40394->40397 40561 423330 11 API calls 40394->40561 40396 43afee 40516 44081d 163 API calls 40396->40516 40562 440f84 12 API calls 40397->40562 40399 43b4c1 40564 42db80 163 API calls 40399->40564 40403 43b592 40563 43a82f 16 API calls 40403->40563 40552 423330 11 API calls 40404->40552 40407 43b5b4 40565 438c4e 163 API calls 40407->40565 40409 43b5cf 40566 42c02e memset 40409->40566 40411 43b005 40411->40306 40416 43b01f 40411->40416 40517 42d836 163 API calls 40411->40517 40412 43b1ef 40527 4233c5 16 API calls 40412->40527 40414 43b212 40528 423330 11 API calls 40414->40528 40416->40412 40525 423330 11 API calls 40416->40525 40526 42d71d 163 API calls 40416->40526 40418 43add4 40418->40361 40567 438f86 16 API calls 40418->40567 40421 43b087 40518 4233ae 11 API calls 40421->40518 40422 43b22a 40529 42ccb5 11 API calls 40422->40529 40425 43b10f 40521 423330 11 API calls 40425->40521 40426 43b23f 40530 4233ae 11 API calls 40426->40530 40428 43b257 40531 4233ae 11 API calls 40428->40531 40432 43b129 40522 4233ae 11 API calls 40432->40522 40433 43b26e 40532 4233ae 11 API calls 40433->40532 40435 43b09a 40435->40425 40519 42cc15 19 API calls 40435->40519 40520 4233ae 11 API calls 40435->40520 40437 43b282 40533 43a87a 163 API calls 40437->40533 40439 43b13c 40523 440f84 12 API calls 40439->40523 40441 43b29d 40534 423330 11 API calls 40441->40534 40444 43b15f 40524 4233ae 11 API calls 40444->40524 40445 43b2af 40447 43b2b8 40445->40447 40448 43b2ce 40445->40448 40535 4233ae 11 API calls 40447->40535 40536 440f84 12 API calls 40448->40536 40451 43b2c9 40538 4233ae 11 API calls 40451->40538 40452 43b2da 40537 42370b memset memcpy memset 40452->40537 40455 43b2f9 40539 423330 11 API calls 40455->40539 40457 43b30b 40540 423330 11 API calls 40457->40540 40459 43b325 40541 423399 11 API calls 40459->40541 40461 43b332 40542 4233ae 11 API calls 40461->40542 40463 43b354 40543 423399 11 API calls 40463->40543 40465 43b364 40544 43a82f 16 API calls 40465->40544 40467 43b370 40545 42db80 163 API calls 40467->40545 40469 43b380 40546 438c4e 163 API calls 40469->40546 40471 43b39e 40547 423399 11 API calls 40471->40547 40473 43b3ae 40548 43a76c 21 API calls 40473->40548 40475 43b3c3 40549 423399 11 API calls 40475->40549 40477->40298 40478->40301 40479->40299 40481 43a6f5 40480->40481 40487 43a765 40480->40487 40481->40487 40569 42a115 40481->40569 40485 43a73d 40486 42a115 147 API calls 40485->40486 40485->40487 40486->40487 40487->40306 40489 4397fd memset 40487->40489 40488->40308 40489->40315 40490->40306 40491->40330 40492->40319 40493->40323 40494->40320 40495->40324 40496->40328 40497->40332 40498->40334 40499->40338 40500->40345 40501->40343 40502->40349 40503->40418 40504->40341 40505->40347 40506->40352 40507->40353 40508->40353 40509->40362 40510->40366 40511->40369 40512->40377 40513->40383 40514->40389 40515->40396 40516->40411 40517->40421 40518->40435 40519->40435 40520->40435 40521->40432 40522->40439 40523->40444 40524->40416 40525->40416 40526->40416 40527->40414 40528->40422 40529->40426 40530->40428 40531->40433 40532->40437 40533->40441 40534->40445 40535->40451 40536->40452 40537->40451 40538->40455 40539->40457 40540->40459 40541->40461 40542->40463 40543->40465 40544->40467 40545->40469 40546->40471 40547->40473 40548->40475 40549->40418 40550->40376 40551->40404 40552->40381 40553->40384 40554->40391 40555->40399 40556->40370 40557->40375 40558->40382 40559->40392 40560->40394 40561->40397 40562->40403 40563->40399 40564->40407 40565->40409 40566->40418 40567->40361 40568->40306 40570 42a175 40569->40570 40572 42a122 40569->40572 40570->40487 40575 42b13b 147 API calls 40570->40575 40572->40570 40573 42a115 147 API calls 40572->40573 40576 43a174 40572->40576 40600 42a0a8 147 API calls 40572->40600 40573->40572 40575->40485 40590 43a196 40576->40590 40591 43a19e 40576->40591 40577 43a306 40577->40590 40613 4388c4 14 API calls 40577->40613 40580 42a115 147 API calls 40580->40591 40581 415a91 memset 40581->40591 40582 43a642 40582->40590 40617 4169a7 11 API calls 40582->40617 40584 4165ff 11 API calls 40584->40591 40586 43a635 40616 42c02e memset 40586->40616 40590->40572 40591->40577 40591->40580 40591->40581 40591->40584 40591->40590 40601 42ff8c 40591->40601 40609 439504 13 API calls 40591->40609 40610 4312d0 147 API calls 40591->40610 40611 42be4c memcpy memcpy memcpy memset memcpy 40591->40611 40612 43a121 11 API calls 40591->40612 40593 4169a7 11 API calls 40594 43a325 40593->40594 40594->40582 40594->40586 40594->40590 40594->40593 40595 42b5b5 memset memcpy 40594->40595 40596 42bf4c 14 API calls 40594->40596 40599 4165ff 11 API calls 40594->40599 40614 42b63e 14 API calls 40594->40614 40615 42bfcf memcpy 40594->40615 40595->40594 40596->40594 40599->40594 40600->40572 40602 43817e 139 API calls 40601->40602 40603 42ff99 40602->40603 40604 42ffe3 40603->40604 40605 42ffd0 40603->40605 40608 42ff9d 40603->40608 40619 4169a7 11 API calls 40604->40619 40618 4169a7 11 API calls 40605->40618 40608->40591 40609->40591 40610->40591 40611->40591 40612->40591 40613->40594 40614->40594 40615->40594 40616->40582 40617->40590 40618->40608 40619->40608 40620 441819 40623 430737 40620->40623 40622 441825 40624 430756 40623->40624 40636 43076d 40623->40636 40625 430774 40624->40625 40626 43075f 40624->40626 40628 43034a memcpy 40625->40628 40644 4169a7 11 API calls 40626->40644 40630 43077e 40628->40630 40629 4307ce 40631 430819 memset 40629->40631 40637 415b2c 40629->40637 40630->40629 40634 4307fa 40630->40634 40630->40636 40631->40636 40633 4307e9 40633->40631 40633->40636 40645 4169a7 11 API calls 40634->40645 40636->40622 40638 415b46 40637->40638 40639 415b42 40637->40639 40638->40633 40639->40638 40640 415b94 40639->40640 40642 415b5a 40639->40642 40641 4438b5 10 API calls 40640->40641 40641->40638 40642->40638 40643 415b79 memcpy 40642->40643 40643->40638 40644->40636 40645->40636 40646 41493c EnumResourceNamesW

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040DDAD
                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                • memset.MSVCRT ref: 0040DF5F
                                                                                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                • String ID: dllhost.exe$p+v@Fv@Bv$taskhost.exe$taskhostex.exe
                                                                                                • API String ID: 708747863-3857311822
                                                                                                • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                APIs
                                                                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                  • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                • free.MSVCRT ref: 00418803
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                • String ID:
                                                                                                • API String ID: 1355100292-0
                                                                                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                APIs
                                                                                                • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 767404330-0
                                                                                                • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFind$FirstNext
                                                                                                • String ID:
                                                                                                • API String ID: 1690352074-0
                                                                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0041898C
                                                                                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: InfoSystemmemset
                                                                                                • String ID:
                                                                                                • API String ID: 3558857096-0
                                                                                                • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004455C2
                                                                                                • wcsrchr.MSVCRT ref: 004455DA
                                                                                                • memset.MSVCRT ref: 0044570D
                                                                                                • memset.MSVCRT ref: 00445725
                                                                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                  • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                  • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                • memset.MSVCRT ref: 0044573D
                                                                                                • memset.MSVCRT ref: 00445755
                                                                                                • memset.MSVCRT ref: 004458CB
                                                                                                • memset.MSVCRT ref: 004458E3
                                                                                                • memset.MSVCRT ref: 0044596E
                                                                                                • memset.MSVCRT ref: 00445A10
                                                                                                • memset.MSVCRT ref: 00445A28
                                                                                                • memset.MSVCRT ref: 00445AC6
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                • memset.MSVCRT ref: 00445B52
                                                                                                • memset.MSVCRT ref: 00445B6A
                                                                                                • memset.MSVCRT ref: 00445C9B
                                                                                                • memset.MSVCRT ref: 00445CB3
                                                                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                • memset.MSVCRT ref: 00445B82
                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                • memset.MSVCRT ref: 00445986
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                • API String ID: 1963886904-3798722523
                                                                                                • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                • String ID: $/deleteregkey$/savelangfile
                                                                                                • API String ID: 2744995895-28296030
                                                                                                • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040B71C
                                                                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                • wcsrchr.MSVCRT ref: 0040B738
                                                                                                • memset.MSVCRT ref: 0040B756
                                                                                                • memset.MSVCRT ref: 0040B7F5
                                                                                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                • memset.MSVCRT ref: 0040B851
                                                                                                • memset.MSVCRT ref: 0040B8CA
                                                                                                • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                • memset.MSVCRT ref: 0040BB53
                                                                                                • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                • String ID: chp$v10
                                                                                                • API String ID: 1297422669-2783969131
                                                                                                • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                APIs
                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                • free.MSVCRT ref: 0040E49A
                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                • memset.MSVCRT ref: 0040E380
                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                • wcschr.MSVCRT ref: 0040E3B8
                                                                                                • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                                • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                                                • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                                                • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                • API String ID: 3849927982-2252543386
                                                                                                • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004091E2
                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                • String ID:
                                                                                                • API String ID: 3715365532-3916222277
                                                                                                • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                • memset.MSVCRT ref: 00413D7F
                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                • memset.MSVCRT ref: 00413E07
                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                • free.MSVCRT ref: 00413EC1
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                • API String ID: 1344430650-1740548384
                                                                                                • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                  • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                • String ID: bhv
                                                                                                • API String ID: 4234240956-2689659898
                                                                                                • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                APIs
                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                • API String ID: 2941347001-70141382
                                                                                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040C298
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                • wcschr.MSVCRT ref: 0040C324
                                                                                                • wcschr.MSVCRT ref: 0040C344
                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                • GetLastError.KERNEL32 ref: 0040C373
                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                • String ID: visited:
                                                                                                • API String ID: 2470578098-1702587658
                                                                                                • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                APIs
                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                • memset.MSVCRT ref: 0040E1BD
                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                • free.MSVCRT ref: 0040E28B
                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                • _snwprintf.MSVCRT ref: 0040E257
                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                • API String ID: 2804212203-2982631422
                                                                                                • Opcode ID: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                • Opcode Fuzzy Hash: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                • String ID: AE$BIN
                                                                                                • API String ID: 1668488027-3931574542
                                                                                                • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                  • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                • memset.MSVCRT ref: 0040BC75
                                                                                                • memset.MSVCRT ref: 0040BC8C
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                • String ID:
                                                                                                • API String ID: 115830560-3916222277
                                                                                                • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                • GetLastError.KERNEL32 ref: 0041847E
                                                                                                • free.MSVCRT ref: 0041848B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile$ErrorLastfree
                                                                                                • String ID: |A
                                                                                                • API String ID: 77810686-1717621600
                                                                                                • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0041249C
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                • wcscpy.MSVCRT ref: 004125A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                • String ID: r!A
                                                                                                • API String ID: 2791114272-628097481
                                                                                                • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                • _wcslwr.MSVCRT ref: 0040C817
                                                                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                • wcslen.MSVCRT ref: 0040C82C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                • API String ID: 2936932814-4196376884
                                                                                                • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040A824
                                                                                                • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                • wcscpy.MSVCRT ref: 0040A854
                                                                                                • wcscat.MSVCRT ref: 0040A86A
                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                • String ID: C:\Windows\system32
                                                                                                • API String ID: 669240632-2896066436
                                                                                                • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                APIs
                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                • wcslen.MSVCRT ref: 0040BE06
                                                                                                • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                • memset.MSVCRT ref: 0040BE91
                                                                                                • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                • wcschr.MSVCRT ref: 0040BF24
                                                                                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                • String ID:
                                                                                                • API String ID: 697348961-0
                                                                                                • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00403CBF
                                                                                                • memset.MSVCRT ref: 00403CD4
                                                                                                • memset.MSVCRT ref: 00403CE9
                                                                                                • memset.MSVCRT ref: 00403CFE
                                                                                                • memset.MSVCRT ref: 00403D13
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                • memset.MSVCRT ref: 00403DDA
                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                • String ID: Waterfox$Waterfox\Profiles
                                                                                                • API String ID: 4039892925-11920434
                                                                                                • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00403E50
                                                                                                • memset.MSVCRT ref: 00403E65
                                                                                                • memset.MSVCRT ref: 00403E7A
                                                                                                • memset.MSVCRT ref: 00403E8F
                                                                                                • memset.MSVCRT ref: 00403EA4
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                • memset.MSVCRT ref: 00403F6B
                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                • API String ID: 4039892925-2068335096
                                                                                                • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00403FE1
                                                                                                • memset.MSVCRT ref: 00403FF6
                                                                                                • memset.MSVCRT ref: 0040400B
                                                                                                • memset.MSVCRT ref: 00404020
                                                                                                • memset.MSVCRT ref: 00404035
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                • memset.MSVCRT ref: 004040FC
                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                • API String ID: 4039892925-3369679110
                                                                                                • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                APIs
                                                                                                • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpy
                                                                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                • API String ID: 3510742995-2641926074
                                                                                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                • memset.MSVCRT ref: 004033B7
                                                                                                • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                • wcscmp.MSVCRT ref: 004033FC
                                                                                                • _wcsicmp.MSVCRT ref: 00403439
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                • String ID: $0.@
                                                                                                • API String ID: 2758756878-1896041820
                                                                                                • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                APIs
                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 2941347001-0
                                                                                                • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00403C09
                                                                                                • memset.MSVCRT ref: 00403C1E
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                • wcscat.MSVCRT ref: 00403C47
                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                • wcscat.MSVCRT ref: 00403C70
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                • API String ID: 1534475566-1174173950
                                                                                                • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                APIs
                                                                                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                • memset.MSVCRT ref: 00414C87
                                                                                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                • wcscpy.MSVCRT ref: 00414CFC
                                                                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                Strings
                                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                • API String ID: 71295984-2036018995
                                                                                                • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                APIs
                                                                                                • wcschr.MSVCRT ref: 00414458
                                                                                                • _snwprintf.MSVCRT ref: 0041447D
                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                • String ID: "%s"
                                                                                                • API String ID: 1343145685-3297466227
                                                                                                • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                • API String ID: 1714573020-3385500049
                                                                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004087D6
                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                • memset.MSVCRT ref: 00408828
                                                                                                • memset.MSVCRT ref: 00408840
                                                                                                • memset.MSVCRT ref: 00408858
                                                                                                • memset.MSVCRT ref: 00408870
                                                                                                • memset.MSVCRT ref: 00408888
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 2911713577-0
                                                                                                • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                APIs
                                                                                                • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcmp
                                                                                                • String ID: @ $SQLite format 3
                                                                                                • API String ID: 1475443563-3708268960
                                                                                                • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcsicmpqsort
                                                                                                • String ID: /nosort$/sort
                                                                                                • API String ID: 1579243037-1578091866
                                                                                                • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040E60F
                                                                                                • memset.MSVCRT ref: 0040E629
                                                                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                Strings
                                                                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                • API String ID: 2887208581-2114579845
                                                                                                • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                APIs
                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                • String ID:
                                                                                                • API String ID: 3473537107-0
                                                                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                APIs
                                                                                                • ??3@YAXPAX@Z.MSVCRT(021E0048), ref: 0044DF01
                                                                                                • ??3@YAXPAX@Z.MSVCRT(021F0050), ref: 0044DF11
                                                                                                • ??3@YAXPAX@Z.MSVCRT(00936E08), ref: 0044DF21
                                                                                                • ??3@YAXPAX@Z.MSVCRT(021F0458), ref: 0044DF31
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??3@
                                                                                                • String ID:
                                                                                                • API String ID: 613200358-0
                                                                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                APIs
                                                                                                Strings
                                                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset
                                                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                • API String ID: 2221118986-1725073988
                                                                                                • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                APIs
                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??3@DeleteObject
                                                                                                • String ID: r!A
                                                                                                • API String ID: 1103273653-628097481
                                                                                                • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                APIs
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??2@
                                                                                                • String ID:
                                                                                                • API String ID: 1033339047-0
                                                                                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                APIs
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$memcmp
                                                                                                • String ID: $$8
                                                                                                • API String ID: 2808797137-435121686
                                                                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                Strings
                                                                                                • too many columns on %s, xrefs: 00430763
                                                                                                • duplicate column name: %s, xrefs: 004307FE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: duplicate column name: %s$too many columns on %s
                                                                                                • API String ID: 0-1445880494
                                                                                                • Opcode ID: 93b9582cf047c94b57d064edc5564507e5ded9912264045a732c21487ec891bf
                                                                                                • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                • Opcode Fuzzy Hash: 93b9582cf047c94b57d064edc5564507e5ded9912264045a732c21487ec891bf
                                                                                                • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                APIs
                                                                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                  • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                  • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                • String ID:
                                                                                                • API String ID: 1979745280-0
                                                                                                • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                APIs
                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                • memset.MSVCRT ref: 00403A55
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                • String ID: history.dat$places.sqlite
                                                                                                • API String ID: 2641622041-467022611
                                                                                                • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                APIs
                                                                                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                • GetLastError.KERNEL32 ref: 00417627
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$File$PointerRead
                                                                                                • String ID:
                                                                                                • API String ID: 839530781-0
                                                                                                • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFindFirst
                                                                                                • String ID: *.*$index.dat
                                                                                                • API String ID: 1974802433-2863569691
                                                                                                • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                APIs
                                                                                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                • GetLastError.KERNEL32 ref: 004175A2
                                                                                                • GetLastError.KERNEL32 ref: 004175A8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$FilePointer
                                                                                                • String ID:
                                                                                                • API String ID: 1156039329-0
                                                                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleTime
                                                                                                • String ID:
                                                                                                • API String ID: 3397143404-0
                                                                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                APIs
                                                                                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                • String ID:
                                                                                                • API String ID: 1125800050-0
                                                                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandleSleep
                                                                                                • String ID: }A
                                                                                                • API String ID: 252777609-2138825249
                                                                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                APIs
                                                                                                • malloc.MSVCRT ref: 00409A10
                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                • free.MSVCRT ref: 00409A31
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: freemallocmemcpy
                                                                                                • String ID:
                                                                                                • API String ID: 3056473165-0
                                                                                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                APIs
                                                                                                Strings
                                                                                                • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: realloc
                                                                                                • String ID: failed memory resize %u to %u bytes
                                                                                                • API String ID: 471065373-2134078882
                                                                                                • Opcode ID: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                                                                                • Instruction ID: fa0be88ae63bf8e7a0ec1cbb838f3bc130d20eb0a75070b99cf9e4f37552e13a
                                                                                                • Opcode Fuzzy Hash: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                                                                                • Instruction Fuzzy Hash: 6EF05CB3A01705E7D2109A55DC418CBF3DCDFC0755B06082FF998D3201E168E88083B6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: d
                                                                                                • API String ID: 0-2564639436
                                                                                                • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset
                                                                                                • String ID: BINARY
                                                                                                • API String ID: 2221118986-907554435
                                                                                                • Opcode ID: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                • Opcode Fuzzy Hash: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcsicmp
                                                                                                • String ID: /stext
                                                                                                • API String ID: 2081463915-3817206916
                                                                                                • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                APIs
                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                • String ID:
                                                                                                • API String ID: 2445788494-0
                                                                                                • Opcode ID: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                                                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                • Opcode Fuzzy Hash: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                                                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                APIs
                                                                                                Strings
                                                                                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: malloc
                                                                                                • String ID: failed to allocate %u bytes of memory
                                                                                                • API String ID: 2803490479-1168259600
                                                                                                • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0041BDDF
                                                                                                • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcmpmemset
                                                                                                • String ID:
                                                                                                • API String ID: 1065087418-0
                                                                                                • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                APIs
                                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                • String ID:
                                                                                                • API String ID: 1381354015-0
                                                                                                • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004301AD
                                                                                                • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpymemset
                                                                                                • String ID:
                                                                                                • API String ID: 1297977491-0
                                                                                                • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free
                                                                                                • String ID:
                                                                                                • API String ID: 1294909896-0
                                                                                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                APIs
                                                                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                  • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                • String ID:
                                                                                                • API String ID: 2154303073-0
                                                                                                • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                APIs
                                                                                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 3150196962-0
                                                                                                • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                APIs
                                                                                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$PointerRead
                                                                                                • String ID:
                                                                                                • API String ID: 3154509469-0
                                                                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                APIs
                                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                • String ID:
                                                                                                • API String ID: 4232544981-0
                                                                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                APIs
                                                                                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID:
                                                                                                • API String ID: 3664257935-0
                                                                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                APIs
                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$FileModuleName
                                                                                                • String ID:
                                                                                                • API String ID: 3859505661-0
                                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                APIs
                                                                                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileRead
                                                                                                • String ID:
                                                                                                • API String ID: 2738559852-0
                                                                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                APIs
                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3934441357-0
                                                                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                APIs
                                                                                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID:
                                                                                                • API String ID: 3664257935-0
                                                                                                • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                APIs
                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??3@
                                                                                                • String ID:
                                                                                                • API String ID: 613200358-0
                                                                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                APIs
                                                                                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID:
                                                                                                • API String ID: 3664257935-0
                                                                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                APIs
                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnumNamesResource
                                                                                                • String ID:
                                                                                                • API String ID: 3334572018-0
                                                                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                APIs
                                                                                                • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary
                                                                                                • String ID:
                                                                                                • API String ID: 3664257935-0
                                                                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                APIs
                                                                                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseFind
                                                                                                • String ID:
                                                                                                • API String ID: 1863332320-0
                                                                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open
                                                                                                • String ID:
                                                                                                • API String ID: 71445658-0
                                                                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFile
                                                                                                • String ID:
                                                                                                • API String ID: 3188754299-0
                                                                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004095FC
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                  • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                  • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 3655998216-0
                                                                                                • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                                                • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00445426
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                • String ID:
                                                                                                • API String ID: 1828521557-0
                                                                                                • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                APIs
                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                  • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??2@FilePointermemcpy
                                                                                                • String ID:
                                                                                                • API String ID: 609303285-0
                                                                                                • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcsicmp
                                                                                                • String ID:
                                                                                                • API String ID: 2081463915-0
                                                                                                • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                APIs
                                                                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                • String ID:
                                                                                                • API String ID: 2136311172-0
                                                                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??2@??3@
                                                                                                • String ID:
                                                                                                • API String ID: 1936579350-0
                                                                                                • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free
                                                                                                • String ID:
                                                                                                • API String ID: 1294909896-0
                                                                                                • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free
                                                                                                • String ID:
                                                                                                • API String ID: 1294909896-0
                                                                                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free
                                                                                                • String ID:
                                                                                                • API String ID: 1294909896-0
                                                                                                • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32 ref: 004182D7
                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                • free.MSVCRT ref: 00418370
                                                                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                • String ID: OsError 0x%x (%u)
                                                                                                • API String ID: 2360000266-2664311388
                                                                                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                APIs
                                                                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Version
                                                                                                • String ID:
                                                                                                • API String ID: 1889659487-0
                                                                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                APIs
                                                                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                • _wcsicmp.MSVCRT ref: 00402305
                                                                                                • _wcsicmp.MSVCRT ref: 00402333
                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                • memset.MSVCRT ref: 0040265F
                                                                                                • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                • API String ID: 2929817778-1134094380
                                                                                                • Opcode ID: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                                                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                • Opcode Fuzzy Hash: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                                                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                • GetDC.USER32 ref: 004140E3
                                                                                                • wcslen.MSVCRT ref: 00414123
                                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                • _snwprintf.MSVCRT ref: 00414244
                                                                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                • API String ID: 2080319088-3046471546
                                                                                                • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                APIs
                                                                                                • EndDialog.USER32(?,?), ref: 00413221
                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                • memset.MSVCRT ref: 00413292
                                                                                                • memset.MSVCRT ref: 004132B4
                                                                                                • memset.MSVCRT ref: 004132CD
                                                                                                • memset.MSVCRT ref: 004132E1
                                                                                                • memset.MSVCRT ref: 004132FB
                                                                                                • memset.MSVCRT ref: 00413310
                                                                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                • memset.MSVCRT ref: 004133C0
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                • wcscpy.MSVCRT ref: 0041341F
                                                                                                • _snwprintf.MSVCRT ref: 0041348E
                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                Strings
                                                                                                • {Unknown}, xrefs: 004132A6
                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                • API String ID: 4111938811-1819279800
                                                                                                • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                • String ID:
                                                                                                • API String ID: 829165378-0
                                                                                                • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00404172
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                • wcscpy.MSVCRT ref: 004041D6
                                                                                                • wcscpy.MSVCRT ref: 004041E7
                                                                                                • memset.MSVCRT ref: 00404200
                                                                                                • memset.MSVCRT ref: 00404215
                                                                                                • _snwprintf.MSVCRT ref: 0040422F
                                                                                                • wcscpy.MSVCRT ref: 00404242
                                                                                                • memset.MSVCRT ref: 0040426E
                                                                                                • memset.MSVCRT ref: 004042CD
                                                                                                • memset.MSVCRT ref: 004042E2
                                                                                                • _snwprintf.MSVCRT ref: 004042FE
                                                                                                • wcscpy.MSVCRT ref: 00404311
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                • API String ID: 2454223109-1580313836
                                                                                                • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$HandleModule
                                                                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+v@Fv@Bv
                                                                                                • API String ID: 667068680-1085305157
                                                                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                APIs
                                                                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                • API String ID: 4054529287-3175352466
                                                                                                • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                • API String ID: 2000436516-3842416460
                                                                                                • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                APIs
                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                • String ID:
                                                                                                • API String ID: 1043902810-0
                                                                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                APIs
                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                • memset.MSVCRT ref: 004085CF
                                                                                                • memset.MSVCRT ref: 004085F1
                                                                                                • memset.MSVCRT ref: 00408606
                                                                                                • strcmp.MSVCRT ref: 00408645
                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                • memset.MSVCRT ref: 0040870E
                                                                                                • strcmp.MSVCRT ref: 0040876B
                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                • String ID: ---
                                                                                                • API String ID: 3437578500-2854292027
                                                                                                • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                APIs
                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                • malloc.MSVCRT ref: 004186B7
                                                                                                • free.MSVCRT ref: 004186C7
                                                                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                • free.MSVCRT ref: 004186E0
                                                                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                • malloc.MSVCRT ref: 004186FE
                                                                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                • free.MSVCRT ref: 00418716
                                                                                                • free.MSVCRT ref: 0041872A
                                                                                                • free.MSVCRT ref: 00418749
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free$FullNamePath$malloc$Version
                                                                                                • String ID: |A
                                                                                                • API String ID: 3356672799-1717621600
                                                                                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcsicmp
                                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                • API String ID: 2081463915-1959339147
                                                                                                • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                APIs
                                                                                                • GetDC.USER32(00000000), ref: 004121FF
                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                • String ID:
                                                                                                • API String ID: 1700100422-0
                                                                                                • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                APIs
                                                                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                • String ID:
                                                                                                • API String ID: 552707033-0
                                                                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                • strchr.MSVCRT ref: 0040C140
                                                                                                • strchr.MSVCRT ref: 0040C151
                                                                                                • _strlwr.MSVCRT ref: 0040C15F
                                                                                                • memset.MSVCRT ref: 0040C17A
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                • String ID: 4$h
                                                                                                • API String ID: 4066021378-1856150674
                                                                                                • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$_snwprintf
                                                                                                • String ID: %%0.%df
                                                                                                • API String ID: 3473751417-763548558
                                                                                                • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                APIs
                                                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                • GetParent.USER32(?), ref: 00406136
                                                                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                • String ID: A
                                                                                                • API String ID: 2892645895-3554254475
                                                                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                • String ID: 0$6
                                                                                                • API String ID: 4066108131-3849865405
                                                                                                • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004082EF
                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                • memset.MSVCRT ref: 00408362
                                                                                                • memset.MSVCRT ref: 00408377
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$ByteCharMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 290601579-0
                                                                                                • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040A47B
                                                                                                • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                • wcslen.MSVCRT ref: 0040A4BA
                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                • wcslen.MSVCRT ref: 0040A4E0
                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                • String ID: %s (%s)$YV@
                                                                                                • API String ID: 3979103747-598926743
                                                                                                • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                APIs
                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                • API String ID: 2780580303-317687271
                                                                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                • wcslen.MSVCRT ref: 0040A6B1
                                                                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                                • API String ID: 2767993716-572158859
                                                                                                • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                APIs
                                                                                                Strings
                                                                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                • out of memory, xrefs: 0042F865
                                                                                                • database is already attached, xrefs: 0042F721
                                                                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                • unable to open database: %s, xrefs: 0042F84E
                                                                                                • database %s is already in use, xrefs: 0042F6C5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpymemset
                                                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                • API String ID: 1297977491-2001300268
                                                                                                • Opcode ID: 9fef2143278846cd95885c1cbe03afab34c3f4ef307752a183a19874e6a22e95
                                                                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                • Opcode Fuzzy Hash: 9fef2143278846cd95885c1cbe03afab34c3f4ef307752a183a19874e6a22e95
                                                                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                APIs
                                                                                                • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                • GetLastError.KERNEL32 ref: 0041855C
                                                                                                • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                • GetLastError.KERNEL32 ref: 0041858E
                                                                                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                • free.MSVCRT ref: 004185AC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                • String ID:
                                                                                                • API String ID: 2802642348-0
                                                                                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                • wcslen.MSVCRT ref: 0040D1D3
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                • String ID: strings
                                                                                                • API String ID: 3166385802-3030018805
                                                                                                • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                APIs
                                                                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                • memset.MSVCRT ref: 00405455
                                                                                                • memset.MSVCRT ref: 0040546C
                                                                                                • memset.MSVCRT ref: 00405483
                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$memcpy$ErrorLast
                                                                                                • String ID: 6$\
                                                                                                • API String ID: 404372293-1284684873
                                                                                                • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                APIs
                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                • wcscat.MSVCRT ref: 0040A0E6
                                                                                                • wcscat.MSVCRT ref: 0040A0F5
                                                                                                • wcscpy.MSVCRT ref: 0040A107
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                • String ID:
                                                                                                • API String ID: 1331804452-0
                                                                                                • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                APIs
                                                                                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                • String ID: advapi32.dll
                                                                                                • API String ID: 2012295524-4050573280
                                                                                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                APIs
                                                                                                Strings
                                                                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                • <%s>, xrefs: 004100A6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$_snwprintf
                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                • API String ID: 3473751417-2880344631
                                                                                                • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                • String ID: %2.2X
                                                                                                • API String ID: 2521778956-791839006
                                                                                                • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _snwprintfwcscpy
                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                • API String ID: 999028693-502967061
                                                                                                • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                APIs
                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                  • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                • memset.MSVCRT ref: 0040C439
                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                • _wcsupr.MSVCRT ref: 0040C481
                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                • memset.MSVCRT ref: 0040C4D0
                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                • String ID:
                                                                                                • API String ID: 4131475296-0
                                                                                                • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004116FF
                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                • API String ID: 2618321458-3614832568
                                                                                                • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFilefreememset
                                                                                                • String ID:
                                                                                                • API String ID: 2507021081-0
                                                                                                • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                APIs
                                                                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                • malloc.MSVCRT ref: 00417524
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                • free.MSVCRT ref: 00417544
                                                                                                • free.MSVCRT ref: 00417562
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                • String ID:
                                                                                                • API String ID: 4131324427-0
                                                                                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                APIs
                                                                                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                • free.MSVCRT ref: 0041822B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: PathTemp$free
                                                                                                • String ID: %s\etilqs_$etilqs_
                                                                                                • API String ID: 924794160-1420421710
                                                                                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                APIs
                                                                                                • wcscpy.MSVCRT ref: 0041477F
                                                                                                • wcscpy.MSVCRT ref: 0041479A
                                                                                                • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: wcscpy$CloseCreateFileHandle
                                                                                                • String ID: General
                                                                                                • API String ID: 999786162-26480598
                                                                                                • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                • _snwprintf.MSVCRT ref: 0040977D
                                                                                                • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                • String ID: Error$Error %d: %s
                                                                                                • API String ID: 313946961-1552265934
                                                                                                • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                APIs
                                                                                                Strings
                                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpy
                                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                • API String ID: 3510742995-272990098
                                                                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0044A6EB
                                                                                                • memset.MSVCRT ref: 0044A6FB
                                                                                                • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpymemset
                                                                                                • String ID: gj
                                                                                                • API String ID: 1297977491-4203073231
                                                                                                • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                APIs
                                                                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                • malloc.MSVCRT ref: 004174BD
                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                • free.MSVCRT ref: 004174E4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                • String ID:
                                                                                                • API String ID: 4053608372-0
                                                                                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                APIs
                                                                                                • GetParent.USER32(?), ref: 0040D453
                                                                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                • String ID:
                                                                                                • API String ID: 4247780290-0
                                                                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                APIs
                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                • memset.MSVCRT ref: 004450CD
                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                • String ID:
                                                                                                • API String ID: 1471605966-0
                                                                                                • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                APIs
                                                                                                • wcscpy.MSVCRT ref: 0044475F
                                                                                                • wcscat.MSVCRT ref: 0044476E
                                                                                                • wcscat.MSVCRT ref: 0044477F
                                                                                                • wcscat.MSVCRT ref: 0044478E
                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                • String ID: \StringFileInfo\
                                                                                                • API String ID: 102104167-2245444037
                                                                                                • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004100FB
                                                                                                • memset.MSVCRT ref: 00410112
                                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                • _snwprintf.MSVCRT ref: 00410141
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                • String ID: </%s>
                                                                                                • API String ID: 3400436232-259020660
                                                                                                • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040E770
                                                                                                • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendmemset
                                                                                                • String ID: AE$"
                                                                                                • API String ID: 568519121-1989281832
                                                                                                • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040D58D
                                                                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                • String ID: caption
                                                                                                • API String ID: 1523050162-4135340389
                                                                                                • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                APIs
                                                                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                • String ID: MS Sans Serif
                                                                                                • API String ID: 210187428-168460110
                                                                                                • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040560C
                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                • String ID: *.*$dat$wand.dat
                                                                                                • API String ID: 2618321458-1828844352
                                                                                                • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 00412057
                                                                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                • String ID:
                                                                                                • API String ID: 3550944819-0
                                                                                                • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                APIs
                                                                                                • free.MSVCRT ref: 0040F561
                                                                                                • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpy$free
                                                                                                • String ID: g4@
                                                                                                • API String ID: 2888793982-2133833424
                                                                                                • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 004144E7
                                                                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                  • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                • memset.MSVCRT ref: 0041451A
                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                • String ID:
                                                                                                • API String ID: 1127616056-0
                                                                                                • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                APIs
                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                                • malloc.MSVCRT ref: 00417459
                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                                                • free.MSVCRT ref: 0041747F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                                                • String ID:
                                                                                                • API String ID: 2605342592-0
                                                                                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2678498856-0
                                                                                                • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040F673
                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                • strlen.MSVCRT ref: 0040F6A2
                                                                                                • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 2754987064-0
                                                                                                • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                APIs
                                                                                                • memset.MSVCRT ref: 0040F6E2
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                • strlen.MSVCRT ref: 0040F70D
                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 2754987064-0
                                                                                                • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                APIs
                                                                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                • String ID:
                                                                                                • API String ID: 764393265-0
                                                                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                APIs
                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$System$File$LocalSpecific
                                                                                                • String ID:
                                                                                                • API String ID: 979780441-0
                                                                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                APIs
                                                                                                • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                • String ID:
                                                                                                • API String ID: 1386444988-0
                                                                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                APIs
                                                                                                • wcschr.MSVCRT ref: 0040F79E
                                                                                                • wcschr.MSVCRT ref: 0040F7AC
                                                                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                • String ID: "
                                                                                                • API String ID: 1983396471-123907689
                                                                                                • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                APIs
                                                                                                • _snwprintf.MSVCRT ref: 0040A398
                                                                                                • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _snwprintfmemcpy
                                                                                                • String ID: %2.2X
                                                                                                • API String ID: 2789212964-323797159
                                                                                                • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                APIs
                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: LongWindow
                                                                                                • String ID: MZ@
                                                                                                • API String ID: 1378638983-2978689999
                                                                                                • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                APIs
                                                                                                • wcslen.MSVCRT ref: 0040B1DE
                                                                                                • free.MSVCRT ref: 0040B201
                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                • free.MSVCRT ref: 0040B224
                                                                                                • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                • String ID:
                                                                                                • API String ID: 726966127-0
                                                                                                • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                APIs
                                                                                                • strlen.MSVCRT ref: 0040B0D8
                                                                                                • free.MSVCRT ref: 0040B0FB
                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                • free.MSVCRT ref: 0040B12C
                                                                                                • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: free$memcpy$mallocstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3669619086-0
                                                                                                • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                • malloc.MSVCRT ref: 00417407
                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                • free.MSVCRT ref: 00417425
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.2190293602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.2190293602.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_400000_1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                                                • String ID:
                                                                                                • API String ID: 2605342592-0
                                                                                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5