Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe

Overview

General Information

Sample name:17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
Analysis ID:1527289
MD5:c6a88078a75cf820171ddec254f357f1
SHA1:f02b7858ad352b812f4299b28992499c124d4337
SHA256:b36228caaab561c68ae6fedd187804142090698761163947174d9d7513877567
Tags:base64-decodedexeRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "dumboi.duckdns.org:51525:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8AXK3L", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4197887762.000000000229F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x134b8:$a1: Remcos restarted by watchdog!
                  • 0x13a30:$a3: %02i:%02i:%02i:%03i
                  Click to see the 38 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aab8:$a1: Remcos restarted by watchdog!
                        • 0x6b030:$a3: %02i:%02i:%02i:%03i
                        0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b7c:$str_b2: Executing file:
                        • 0x65bfc:$str_b3: GetDirectListeningPort
                        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65728:$str_b7: \update.vbs
                        • 0x64ba4:$str_b9: Downloaded file:
                        • 0x64b90:$str_b10: Downloading file:
                        • 0x64c34:$str_b12: Failed to upload file:
                        • 0x65bc4:$str_b13: StartForward
                        • 0x65be4:$str_b14: StopForward
                        • 0x65680:$str_b15: fso.DeleteFile "
                        • 0x65614:$str_b16: On Error Resume Next
                        • 0x656b0:$str_b17: fso.DeleteFolder "
                        • 0x64c24:$str_b18: Uploaded file:
                        • 0x64be4:$str_b19: Unable to delete:
                        • 0x65648:$str_b20: while fso.FileExists("
                        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 25 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, ProcessId: 4280, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-06T22:17:25.535923+020020365941Malware Command and Control Activity Detected192.168.2.449730185.236.203.10151525TCP
                        2024-10-06T22:17:27.442153+020020365941Malware Command and Control Activity Detected192.168.2.449731185.236.203.10151525TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-06T22:17:27.386441+020028033043Unknown Traffic192.168.2.449732178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeAvira: detected
                        Found malware configuration
                        Source: 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "dumboi.duckdns.org:51525:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8AXK3L", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for submitted file
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeReversingLabs: Detection: 84%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4197887762.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,1_2_00404423
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_edc9835f-2

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040AE51 FindFirstFileW,FindNextFileW,1_2_0040AE51
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00407EF8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407898
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49731 -> 185.236.203.101:51525
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 185.236.203.101:51525
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: dumboi.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: dumboi.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 185.236.203.101:51525
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: M247GB M247GB
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198422202.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                        Source: bhv8305.tmp.1.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                        Source: bhv8305.tmp.1.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000003.1818469944.000000000063D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000003.1818469944.000000000063D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198216159.0000000003900000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198216159.0000000003900000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                        Source: global trafficDNS traffic detected: DNS query: dumboi.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1801699310.0000000000523000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1801699310.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1781716258.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1802331098.00000000004F2000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp5
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0:
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0H
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0I
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0Q
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.msocsp.com0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocsp.msocsp.com0S
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://ocspx.digicert.com0E
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0~
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805153543.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805204420.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198422202.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198422202.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805153543.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805204420.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                        Source: bhv8305.tmp.1.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818849374.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000003.1818469944.000000000063D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeString found in binary or memory: https://login.yahoo.com/config/login
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                        Source: bhv8305.tmp.1.drString found in binary or memory: https://www.office.com/

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_0040987A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,1_2_004098E2
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,2_2_00406DFC
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_00406E9F
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_004068B5
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_004072B5
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                        Source: Yara matchFile source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4197887762.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041CA6D SystemParametersInfoW,0_2_0041CA6D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_0041812A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,1_2_0040DD85
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00401806 NtdllDefWindowProc_W,1_2_00401806
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004018C0 NtdllDefWindowProc_W,1_2_004018C0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004016FD NtdllDefWindowProc_A,2_2_004016FD
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004017B7 NtdllDefWindowProc_A,2_2_004017B7
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00402CAC NtdllDefWindowProc_A,3_2_00402CAC
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00402D66 NtdllDefWindowProc_A,3_2_00402D66
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_100171940_2_10017194
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_1000B5C10_2_1000B5C1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044B0401_2_0044B040
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0043610D1_2_0043610D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004473101_2_00447310
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044A4901_2_0044A490
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040755A1_2_0040755A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0043C5601_2_0043C560
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044B6101_2_0044B610
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044D6C01_2_0044D6C0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004476F01_2_004476F0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044B8701_2_0044B870
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044081D1_2_0044081D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004149571_2_00414957
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004079EE1_2_004079EE
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00407AEB1_2_00407AEB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044AA801_2_0044AA80
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00412AA91_2_00412AA9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00404B741_2_00404B74
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00404B031_2_00404B03
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044BBD81_2_0044BBD8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00404BE51_2_00404BE5
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00404C761_2_00404C76
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00415CFE1_2_00415CFE
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00416D721_2_00416D72
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00446D301_2_00446D30
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00446D8B1_2_00446D8B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00406E8F1_2_00406E8F
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004050382_2_00405038
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0041208C2_2_0041208C
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004050A92_2_004050A9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0040511A2_2_0040511A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0043C13A2_2_0043C13A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004051AB2_2_004051AB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004493002_2_00449300
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0040D3222_2_0040D322
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0044A4F02_2_0044A4F0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0043A5AB2_2_0043A5AB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004136312_2_00413631
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004466902_2_00446690
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0044A7302_2_0044A730
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004398D82_2_004398D8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_004498E02_2_004498E0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0044A8862_2_0044A886
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0043DA092_2_0043DA09
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00438D5E2_2_00438D5E
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00449ED02_2_00449ED0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0041FE832_2_0041FE83
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00430F542_2_00430F54
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004050C23_2_004050C2
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004014AB3_2_004014AB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004051333_2_00405133
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004051A43_2_004051A4
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004012463_2_00401246
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_0040CA463_2_0040CA46
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004052353_2_00405235
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004032C83_2_004032C8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004222D93_2_004222D9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004016893_2_00401689
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00402F603_2_00402F60
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 004169A7 appears 87 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 004165FF appears 35 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00422297 appears 42 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 0044DB70 appears 41 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00444B5A appears 37 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00413025 appears 79 times
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: String function: 00416760 appears 69 times
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819531077.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198422202.0000000003A0B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1802331098.00000000004F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819612963.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1798983016.0000000002AA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeBinary or memory string: OriginalFileName vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeBinary or memory string: OriginalFilename vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/4@2/2
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,1_2_004182CE
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,3_2_00410DE1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,1_2_00418758
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-8AXK3L
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bhv8305.tmpJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Rmc-8AXK3L0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Rmc-8AXK3L0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: 8SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: 8SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: dMG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: PSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: User0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSystem information queried: HandleInformationJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000002.00000002.1805659969.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198216159.0000000003900000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000003.1818229043.00000000020EA000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1819324696.00000000020EA000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000003.1818635359.00000000020EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                        Source: unknownProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe "C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe"
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\glwdcdfurqkkskz"
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\injodopvfycxvqnxqc"
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\siogdgapbgucfwkbamoda"
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\glwdcdfurqkkskz"Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\injodopvfycxvqnxqc"Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\siogdgapbgucfwkbamoda"Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.cfgJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeUnpacked PE file: 1.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeUnpacked PE file: 2.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeUnpacked PE file: 3.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041C7F3 push eax; retf 0_2_0041C7FD
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_10002806 push ecx; ret 0_2_10002819
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_10009FD8 push esi; ret 0_2_10009FD9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044693D push ecx; ret 1_2_0044694D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044DB70 push eax; ret 1_2_0044DB84
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0044DB70 push eax; ret 1_2_0044DBAC
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00451D54 push eax; ret 1_2_00451D61
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0044B090 push eax; ret 2_2_0044B0A4
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_0044B090 push eax; ret 2_2_0044B0CC
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00444E71 push ecx; ret 2_2_00444E81
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00414060 push eax; ret 3_2_00414074
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00414060 push eax; ret 3_2_0041409C
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00414039 push ecx; ret 3_2_00414049
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_004164EB push 0000006Ah; retf 3_2_004165C4
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00416553 push 0000006Ah; retf 3_2_004165C4
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00416555 push 0000006Ah; retf 3_2_004165C4
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,1_2_0040DD85
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeWindow / User API: threadDelayed 2530Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeWindow / User API: threadDelayed 6967Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeWindow / User API: foregroundWindowGot 1767Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-52665
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeAPI coverage: 9.9 %
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe TID: 5020Thread sleep count: 233 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe TID: 5020Thread sleep time: -116500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe TID: 3684Thread sleep count: 2530 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe TID: 3684Thread sleep time: -7590000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe TID: 3684Thread sleep count: 6967 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe TID: 3684Thread sleep time: -20901000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040AE51 FindFirstFileW,FindNextFileW,1_2_0040AE51
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 2_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00407EF8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 3_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407898
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_00418981 memset,GetSystemInfo,1_2_00418981
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819531077.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1781838169.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819612963.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: bhv8305.tmp.1.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                        Source: bhv8305.tmp.1.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-54523
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,1_2_0040DD85
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]0_2_10004AB4
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,0_2_00411D39
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100060E2
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002639
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002B1C

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_0041812A
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\glwdcdfurqkkskz"Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\injodopvfycxvqnxqc"Jump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeProcess created: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\siogdgapbgucfwkbamoda"Jump to behavior
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerg
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager$h
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\*
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1802331098.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819774254.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819531077.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\d
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\09
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\37R
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\)
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\*5
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\'
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerv
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`av
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197691542.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1802331098.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819774254.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3L\
                        Source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 0_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0044942D
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: 1_2_0041739B GetVersionExW,1_2_0041739B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4197887762.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: \key3.db0_2_0040BB6B
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Instant Messenger accounts or passwords
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                        Tries to steal Mail credentials (via file registry)
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: ESMTPPassword2_2_004033F0
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword2_2_00402DB3
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword2_2_00402DB3
                        Yara detected WebBrowserPassView password recovery tool
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-8AXK3LJump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4197887762.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 4812, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 5316, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe PID: 2316, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts13
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        Software Packing                        		2
                        Credentials in Registry                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        DLL Side-Loading                        		3
                        Credentials In Files                        		3
                        File and Directory Discovery                        		Distributed Component Object Model211
                        Input Capture                        		1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                        Process Injection                        		1
                        Bypass User Account Control                        		LSA Secrets38
                        System Information Discovery                        		SSH3
                        Clipboard Data                        		2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials31
                        Security Software Discovery                        		VNCGUI Input Capture22
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Virtualization/Sandbox Evasion                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc Filesystem4
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527289 Sample: 17282393454a20ebb72846132bb... Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 21 dumboi.duckdns.org 2->21 23 geoplugin.net 2->23 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 37 9 other signatures 2->37 7 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe 3 15 2->7         started        signatures3 35 Uses dynamic DNS services 21->35 process4 dnsIp5 25 dumboi.duckdns.org 185.236.203.101, 49730, 49731, 51525 M247GB Romania 7->25 27 geoplugin.net 178.237.33.50, 49732, 80 ATOM86-ASATOM86NL Netherlands 7->27 19 C:\ProgramData\remcos\logs.dat, data 7->19 dropped 39 Contains functionality to bypass UAC (CMSTPLUA) 7->39 41 Detected unpacking (changes PE section rights) 7->41 43 Detected Remcos RAT 7->43 45 9 other signatures 7->45 12 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe 1 7->12         started        15 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe 1 7->15         started        17 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe 2 7->17         started        file6 signatures7 process8 signatures9 47 Tries to steal Instant Messenger accounts or passwords 12->47 49 Tries to harvest and steal browser information (history, passwords, etc) 12->49 51 Tries to steal Mail credentials (via file / registry access) 15->51

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                        17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.imvu.comr0%URL Reputationsafe
                        https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        https://login.yahoo.com/config/login0%URL Reputationsafe
                        http://www.imvu.com0%URL Reputationsafe
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://www.ebuddy.com0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		unknown
                          dumboi.duckdns.org
                          		185.236.203.101
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            dumboi.duckdns.orgtrue
                              		unknown
                              http://geoplugin.net/json.gpfalse
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.imvu.comr17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198422202.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Wbhv8305.tmp.1.drfalse
                                		unknown
                                http://www.imvu.comta17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805153543.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805204420.00000000009AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhv8305.tmp.1.drfalse
                                    		unknown
                                    https://aefd.nelreports.net/api/report?cat=bingthbhv8305.tmp.1.drfalse
                                      		unknown
                                      https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhv8305.tmp.1.drfalse
                                        		unknown
                                        http://www.nirsoft.net17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000001.00000002.1818849374.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://aefd.nelreports.net/api/report?cat=bingaotakbhv8305.tmp.1.drfalse
                                            		unknown
                                            https://deff.nelreports.net/api/report?cat=msnbhv8305.tmp.1.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Frbhv8305.tmp.1.drfalse
                                              		unknown
                                              http://geoplugin.net/json.gp517282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1801699310.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1781716258.0000000000501000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1802331098.00000000004F2000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhv8305.tmp.1.drfalse
                                                  		unknown
                                                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Frbhv8305.tmp.1.drfalse
                                                    		unknown
                                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000000.00000002.4198422202.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		unknown
                                                      https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhv8305.tmp.1.drfalse
                                                        		unknown
                                                        https://www.google.com17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		unknown
                                                          https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhv8305.tmp.1.drfalse
                                                            		unknown
                                                            http://geoplugin.net/json.gp/C17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://maps.windows.com/windows-app-web-linkbhv8305.tmp.1.drfalse
                                                              		unknown
                                                              https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv8305.tmp.1.drfalse
                                                                		unknown
                                                                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhv8305.tmp.1.drfalse
                                                                  		unknown
                                                                  https://login.yahoo.com/config/login17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exefalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.nirsoft.net/17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhv8305.tmp.1.drfalse
                                                                      		unknown
                                                                      https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhv8305.tmp.1.drfalse
                                                                        		unknown
                                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhv8305.tmp.1.drfalse
                                                                          		unknown
                                                                          https://www.office.com/bhv8305.tmp.1.drfalse
                                                                            		unknown
                                                                            https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhv8305.tmp.1.drfalse
                                                                              		unknown
                                                                              https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhv8305.tmp.1.drfalse
                                                                                		unknown
                                                                                https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhv8305.tmp.1.drfalse
                                                                                  		unknown
                                                                                  https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhv8305.tmp.1.drfalse
                                                                                    		unknown
                                                                                    https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhv8305.tmp.1.drfalse
                                                                                      		unknown
                                                                                      http://www.imvu.com17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805153543.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000003.1805204420.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://aefd.nelreports.net/api/report?cat=wsbbhv8305.tmp.1.drfalse
                                                                                        		unknown
                                                                                        https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhv8305.tmp.1.drfalse
                                                                                          		unknown
                                                                                          https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhv8305.tmp.1.drfalse
                                                                                            		unknown
                                                                                            https://aefd.nelreports.net/api/report?cat=bingaotbhv8305.tmp.1.drfalse
                                                                                              		unknown
                                                                                              https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhv8305.tmp.1.drfalse
                                                                                                		unknown
                                                                                                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhv8305.tmp.1.drfalse
                                                                                                  		unknown
                                                                                                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhv8305.tmp.1.drfalse
                                                                                                    		unknown
                                                                                                    https://aefd.nelreports.net/api/report?cat=bingrmsbhv8305.tmp.1.drfalse
                                                                                                      		unknown
                                                                                                      https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhv8305.tmp.1.drfalse
                                                                                                        		unknown
                                                                                                        https://www.google.com/accounts/servicelogin17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exefalse
                                                                                                          		unknown
                                                                                                          https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhv8305.tmp.1.drfalse
                                                                                                            		unknown
                                                                                                            https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhv8305.tmp.1.drfalse
                                                                                                              		unknown
                                                                                                              https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhv8305.tmp.1.drfalse
                                                                                                                		unknown
                                                                                                                https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhv8305.tmp.1.drfalse
                                                                                                                  		unknown
                                                                                                                  http://www.ebuddy.com17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, 00000003.00000002.1805446718.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  185.236.203.101
                                                                                                                  		dumboi.duckdns.orgRomania
                                                                                                                  		9009M247GBtrue
                                                                                                                  178.237.33.50
                                                                                                                  		geoplugin.netNetherlands
                                                                                                                  		8455ATOM86-ASATOM86NLfalse

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1527289
                                                                                                                  Start date and time:2024-10-06 22:16:25 +02:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 7m 59s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:8
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/4@2/2
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 99%
                                                                                                                  • Number of executed functions: 139
                                                                                                                  • Number of non-executed functions: 304
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                  • VT rate limit hit for: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  16:17:55API Interceptor7189937x Sleep call for process: 17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  185.236.203.101na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                    DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                      Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                                                                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          178.237.33.50na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          dumboi.duckdns.orgna.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          geoplugin.netna.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          M247GBna.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          file.dllGet hashmaliciousMatanbuchusBrowse
                                                                                                                          • 193.109.85.31
                                                                                                                          file.dllGet hashmaliciousMatanbuchusBrowse
                                                                                                                          • 193.109.85.31
                                                                                                                          Booking_0106.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 172.86.66.70
                                                                                                                          DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                          • 82.102.27.163
                                                                                                                          file.dllGet hashmaliciousMatanbuchusBrowse
                                                                                                                          • 193.109.85.31
                                                                                                                          bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                          • 91.202.233.141
                                                                                                                          Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.236.203.101
                                                                                                                          http://toomdexter.kindofx.com/c/2734/14-13347393/2/Get hashmaliciousUnknownBrowse
                                                                                                                          • 5.183.103.118
                                                                                                                          ATOM86-ASATOM86NLna.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\ProgramData\remcos\logs.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):144
                                                                                                                          Entropy (8bit):3.3829237234308707
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:rhlKlM+VlSlpNDkwlDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lJSlpNDLb5YcIeeDAlOWAv
                                                                                                                          MD5:42F1C8009DD5CDD23210075C2E9B4FBF
                                                                                                                          SHA1:1CCEDE13CDAB1A544433B10C3B1744DB6FAAF99C
                                                                                                                          SHA-256:A8AA422A5113158BBF10F53CB0C62BC8DD9AA377A9CCBB05E020CFF16CA80022
                                                                                                                          SHA-512:3D374590C886FD34B90B482AD02B0043A3C63FAB2C475EAF5644DA8BC3F4F52A54D85BEB453D413339A05374C6ADC24E11AD20E3E5FB8495FEFBDBAACA5FD117
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                          Reputation:low
                                                                                                                          Preview:....[.2.0.2.4./.1.0./.0.6. .1.6.:.1.7.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):962
                                                                                                                          Entropy (8bit):5.013811273052389
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                          MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                                                                          SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                                                                          SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                                                                          SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                          C:\Users\user\AppData\Local\Temp\bhv8305.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x98bd6f1b, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20447232
                                                                                                                          Entropy (8bit):1.283023164350904
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:ZRSPOhijljKhBfvKDv2G+555ckQB8WBbjWE:mii9PDp+
                                                                                                                          MD5:C8063FDAE20322136E6ADC8D78F74904
                                                                                                                          SHA1:6335FD6C1829E93F7A45614483DB9922F349C032
                                                                                                                          SHA-256:B2D7CDFE06C91A3372D36FDB13C20B0CF4EF6A971B59783C3031A51E31EE24BD
                                                                                                                          SHA-512:2BEB848E5FCC3F7067FF88430166FE378C14971E70ECCAE7CB9B0F4AD2FFE2327A7EE13B95F0CDEC57FDD9571471F2042EA954F2C39F312D493095410D6B4F1D
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:..o.... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;...................................`......{...................;)k.....{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\glwdcdfurqkkskz

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2
                                                                                                                          Entropy (8bit):1.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                          Malicious:false
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:..

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):6.6013931659711655
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          File size:494'592 bytes
                                                                                                                          MD5:c6a88078a75cf820171ddec254f357f1
                                                                                                                          SHA1:f02b7858ad352b812f4299b28992499c124d4337
                                                                                                                          SHA256:b36228caaab561c68ae6fedd187804142090698761163947174d9d7513877567
                                                                                                                          SHA512:c26292ca04c479ec9d9b4b92b8d89edbcd21a271e0c7577f8189f9f9b45581d82bc2a8d1d8d0912f06ffa5ebd8ae04afbc0585150c634dda88a0583b76726069
                                                                                                                          SSDEEP:6144:QTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZXAXkcrzT4:QTlrYw1RUh3NFn+N5WfIQIjbs/ZXAT4
                                                                                                                          TLSH:C0B49E01BAD2C072D57514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                                                                                                          File Icon

                                                                                                                          Icon Hash:95694d05214c1b33

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x434a80
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x66F18049 [Mon Sep 23 14:50:49 2024 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:1
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:1
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:1
                                                                                                                          Import Hash:1389569a3a39186f3eb453b501cfe688

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          call 00007F5FB8EF32ABh
                                                                                                                          jmp 00007F5FB8EF2CF3h
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          sub esp, 00000324h
                                                                                                                          push ebx
                                                                                                                          push esi
                                                                                                                          push 00000017h
                                                                                                                          call 00007F5FB8F15543h
                                                                                                                          test eax, eax
                                                                                                                          je 00007F5FB8EF2E67h
                                                                                                                          mov ecx, dword ptr [ebp+08h]
                                                                                                                          int 29h
                                                                                                                          xor esi, esi
                                                                                                                          lea eax, dword ptr [ebp-00000324h]
                                                                                                                          push 000002CCh
                                                                                                                          push esi
                                                                                                                          push eax
                                                                                                                          mov dword ptr [00471D14h], esi
                                                                                                                          call 00007F5FB8EF52B6h
                                                                                                                          add esp, 0Ch
                                                                                                                          mov dword ptr [ebp-00000274h], eax
                                                                                                                          mov dword ptr [ebp-00000278h], ecx
                                                                                                                          mov dword ptr [ebp-0000027Ch], edx
                                                                                                                          mov dword ptr [ebp-00000280h], ebx
                                                                                                                          mov dword ptr [ebp-00000284h], esi
                                                                                                                          mov dword ptr [ebp-00000288h], edi
                                                                                                                          mov word ptr [ebp-0000025Ch], ss
                                                                                                                          mov word ptr [ebp-00000268h], cs
                                                                                                                          mov word ptr [ebp-0000028Ch], ds
                                                                                                                          mov word ptr [ebp-00000290h], es
                                                                                                                          mov word ptr [ebp-00000294h], fs
                                                                                                                          mov word ptr [ebp-00000298h], gs
                                                                                                                          pushfd
                                                                                                                          pop dword ptr [ebp-00000264h]
                                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                                          mov dword ptr [ebp-0000026Ch], eax
                                                                                                                          lea eax, dword ptr [ebp+04h]
                                                                                                                          mov dword ptr [ebp-00000260h], eax
                                                                                                                          mov dword ptr [ebp-00000324h], 00010001h
                                                                                                                          mov eax, dword ptr [eax-04h]
                                                                                                                          push 00000050h
                                                                                                                          mov dword ptr [ebp-00000270h], eax
                                                                                                                          lea eax, dword ptr [ebp-58h]
                                                                                                                          push esi
                                                                                                                          push eax
                                                                                                                          call 00007F5FB8EF522Dh

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [C++] VS2008 SP1 build 30729
                                                                                                                          • [IMP] VS2008 SP1 build 30729

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b00.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x590000x179dc0x17a0003563836e8ba6bd75dd82177f19b0089False0.5008370535714286data5.862029025853186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0x790000x4b000x4c00843187db9d7507bebe526941d7f0cfffFalse0.27960526315789475data3.9849746097377445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                                                                                          RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                                                                                          RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                                                                                          RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                                                                                          RT_RCDATA0x7d5cc0x4f3data1.0086819258089976
                                                                                                                          RT_GROUP_ICON0x7dac00x3edataEnglishUnited States0.8064516129032258

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                                                                                                          USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                                                                                                          GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                                                                                                          ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                                                                                                          SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                                                                                          ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                                                                                                          SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                                                                                                          WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                                                                                                          WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                                                                                                          urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                                                                                          gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                                                                                                          WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-10-06T22:17:25.535923+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449730185.236.203.10151525TCP
                                                                                                                          2024-10-06T22:17:27.386441+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449732178.237.33.5080TCP
                                                                                                                          2024-10-06T22:17:27.442153+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449731185.236.203.10151525TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 6, 2024 22:17:24.634500027 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:24.639672995 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:24.639764071 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:24.644773006 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:24.649657011 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:25.490674973 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:25.535923004 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:25.722287893 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:25.726615906 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:25.731584072 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:25.731658936 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:25.736546993 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.262414932 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.279794931 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:26.284682989 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.506799936 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.533368111 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:26.538281918 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.538379908 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:26.551500082 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:26.644736052 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:26.649624109 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.772438049 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:17:26.777311087 CEST8049732178.237.33.50192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.777414083 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:17:26.777571917 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:17:26.782394886 CEST8049732178.237.33.50192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.386333942 CEST8049732178.237.33.50192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.386440992 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:17:27.387844086 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.426074028 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:27.430911064 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.442152977 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:27.623420954 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.629429102 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:27.634301901 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.635745049 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:27.640624046 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:27.640683889 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:27.645538092 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.162426949 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.162508011 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.162545919 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.162580013 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.162595987 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.162619114 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.162627935 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.207776070 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.345305920 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.345386028 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.345421076 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.345458031 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.345478058 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.345520020 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.350168943 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.350240946 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.350275040 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.350307941 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.350308895 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.350347042 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.350361109 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.354907036 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.354944944 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.354980946 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.382433891 CEST8049732178.237.33.50192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.382533073 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:17:28.395284891 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.532458067 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532481909 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532497883 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532512903 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532531977 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532579899 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.532639027 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.532800913 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532855034 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.532897949 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532922983 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532938957 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.532970905 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.533305883 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533359051 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.533375978 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533391953 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533407927 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533437967 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.533878088 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533905983 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533921003 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.533993006 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.533997059 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.534014940 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.534066916 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.534746885 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.534773111 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.534817934 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.725781918 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.725820065 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.725836992 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.725852966 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.725869894 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.725878954 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.725888014 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.725915909 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.725958109 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.726205111 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726222038 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726258993 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726273060 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.726290941 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726308107 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726330996 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.726562023 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726589918 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726605892 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726613998 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.726650000 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.726843119 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726917028 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726932049 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.726962090 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.727114916 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727164984 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727173090 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.727183104 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727201939 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727225065 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.727262974 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727279902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727297068 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.727312088 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.727346897 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.728017092 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728044987 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728060961 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728094101 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.728126049 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728142977 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728159904 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728171110 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.728188992 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728208065 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.728879929 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728930950 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.728938103 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728955984 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.728998899 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.729031086 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.729048014 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.729065895 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.729084015 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.729090929 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.729129076 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.730906963 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.730923891 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.730942965 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.730973959 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.785970926 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.913557053 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913606882 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913665056 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913701057 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913734913 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913738012 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.913780928 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913805008 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.913834095 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913850069 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.913871050 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913903952 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913923979 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.913938046 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.913988113 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.913989067 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914025068 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914056063 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914086103 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914092064 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914125919 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914151907 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914163113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914199114 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914220095 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914236069 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914273024 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914294958 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914386034 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914419889 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914438963 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914455891 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914508104 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914509058 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914546013 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914577961 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914597988 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914614916 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914655924 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914668083 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914693117 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914727926 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914747000 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914762020 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914817095 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.914935112 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.914968014 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.915007114 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.915031910 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916079044 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916107893 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916126966 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916138887 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916145086 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916165113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916177034 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916186094 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916217089 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916218996 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916238070 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916256905 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916266918 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916276932 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916306973 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916394949 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916424036 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916440964 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916445971 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916487932 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.916490078 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916507959 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916526079 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.916555882 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.917965889 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.917985916 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.918004990 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.918021917 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.918021917 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.918059111 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.919121981 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919153929 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919179916 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919179916 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.919223070 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.919265032 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919281006 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919301987 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919318914 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919329882 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.919365883 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.919415951 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919433117 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919450045 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.919481039 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.920139074 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920155048 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920171976 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920192957 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.920223951 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.920243979 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920260906 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920286894 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920308113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:28.920309067 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:28.920351028 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.097986937 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098011971 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098046064 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098069906 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098087072 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098103046 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098104954 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098120928 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098136902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098150969 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098155975 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098174095 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098175049 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098191977 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098196030 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098212004 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098234892 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098248959 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098265886 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098278046 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098306894 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.098941088 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098970890 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.098985910 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099004030 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099021912 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099023104 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099040031 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099062920 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099096060 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099121094 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099189043 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099205017 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099240065 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099277020 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099306107 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099323034 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099327087 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099342108 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099363089 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099370003 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099379063 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099415064 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099451065 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099502087 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099539995 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099581957 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099597931 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099631071 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099735975 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099750996 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099766970 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099782944 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099812984 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099843025 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099858046 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099891901 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099909067 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099921942 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099947929 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.099961042 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099975109 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.099997997 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100013971 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100016117 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100029945 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100047112 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100059032 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100061893 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100094080 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100095034 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100142956 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100155115 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100173950 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100215912 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100219965 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100233078 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100276947 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100303888 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100318909 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100337982 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100353956 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100364923 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100400925 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100446939 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100462914 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100481987 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100502014 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100511074 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100517988 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100548983 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100583076 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100610018 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100625038 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100630999 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100709915 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100739002 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100755930 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100770950 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100791931 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100809097 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100810051 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100841045 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100852966 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100867987 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100903988 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.100940943 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.100940943 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.101007938 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.105685949 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.105704069 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.105747938 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106184959 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106240034 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106255054 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106261969 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106272936 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106302023 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106471062 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106497049 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106511116 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106523037 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106548071 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106549978 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106568098 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106615067 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106623888 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106640100 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106657982 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106674910 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106684923 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106692076 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106709003 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.106719971 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.106745958 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.108319044 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108333111 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108356953 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108372927 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108386993 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108390093 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.108407974 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108422995 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.108424902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.108459949 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110101938 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110119104 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110136032 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110163927 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110197067 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110215902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110238075 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110255003 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110271931 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110285997 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110289097 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110311985 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110493898 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110521078 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110536098 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110553026 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110564947 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110599995 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110621929 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110637903 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110658884 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110677004 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110737085 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.110761881 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110775948 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110804081 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110817909 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110837936 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110863924 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110879898 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110898018 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110917091 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.110991955 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.111260891 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.112822056 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.112871885 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.112885952 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.112912893 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.112927914 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.112929106 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.112947941 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.112987041 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.112987041 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.113018036 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.119683027 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.186429024 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.186470985 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.186510086 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.186590910 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.186621904 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.186660051 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.186757088 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.239053011 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288414001 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288438082 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288456917 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288486958 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288505077 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288567066 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288599968 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288618088 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288635015 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288639069 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288650990 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288681984 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288697958 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288734913 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288750887 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288775921 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288781881 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288794041 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288822889 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288909912 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288927078 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288947105 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288959026 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.288964987 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.288997889 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289005995 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289016962 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289035082 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289040089 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289055109 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289077044 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289103031 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289119959 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289144993 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289405107 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289422035 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289438009 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289462090 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289488077 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289494038 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289511919 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289527893 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289550066 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289578915 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289592981 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289632082 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289700031 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289716959 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289745092 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289787054 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289803028 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289819956 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289830923 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.289839983 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.289860010 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290095091 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290142059 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290144920 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290163040 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290226936 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290242910 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290261030 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290277958 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290294886 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290302992 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290333986 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290479898 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290546894 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290563107 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290579081 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290590048 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290636063 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290802956 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290831089 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290847063 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290874004 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290905952 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290923119 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290946960 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290951014 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.290965080 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.290985107 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291001081 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291016102 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291060925 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291062117 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291079044 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291098118 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291155100 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291172028 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291188002 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291197062 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291212082 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291227102 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291234016 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291253090 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291270018 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291270018 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291305065 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291321039 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291399002 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291414976 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291433096 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291441917 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291471958 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291493893 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291510105 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291527033 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291544914 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291553020 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291563988 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291584015 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291621923 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291662931 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291673899 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291691065 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291733027 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291749954 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291776896 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291795969 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291812897 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291831970 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291836977 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291850090 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291857004 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291898966 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.291923046 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291939974 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291956902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.291977882 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292042971 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292059898 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292078018 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292085886 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292119026 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292148113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292164087 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292179108 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292200089 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292205095 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292222023 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292246103 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292260885 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292278051 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292300940 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292337894 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292356014 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292381048 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292429924 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292474031 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292490005 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292507887 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292546988 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292553902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292571068 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292588949 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292608023 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292675018 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292720079 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292762041 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292778015 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292794943 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292814016 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292824030 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292841911 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292857885 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292865038 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292881966 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292901993 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292918921 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292922020 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292946100 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.292967081 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.292982101 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.293006897 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.296520948 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.296538115 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.296555042 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.296591997 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.296617031 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.297564030 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.297580957 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.297597885 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.297615051 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.297624111 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.297657967 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.301826000 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.304382086 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377221107 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377247095 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377276897 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377305984 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377316952 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377324104 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377348900 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377351999 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377370119 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377387047 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377387047 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377417088 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377427101 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377434015 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377449036 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377469063 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377480030 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377496958 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377511978 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377521992 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377533913 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377552986 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377553940 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377576113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377589941 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377593994 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377609015 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377629042 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377639055 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377645016 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377660990 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377670050 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377680063 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377696037 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377710104 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377717972 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377729893 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377846003 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377888918 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377899885 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377937078 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.377979994 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.377990007 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378046989 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378089905 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.378103018 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378139019 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378181934 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.378192902 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378230095 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378263950 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378273964 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.378298044 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378331900 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378365993 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378366947 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.378401041 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378406048 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.378437042 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378470898 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.378479004 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379177094 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379208088 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379224062 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379266977 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379303932 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379323959 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379379034 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379426003 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379462004 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379497051 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379549980 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379549980 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379601955 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379637957 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379657030 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379703999 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379745007 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379762888 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379818916 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379861116 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379873037 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379909039 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379950047 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.379964113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.379997969 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380033970 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380039930 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.380069017 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380104065 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380111933 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.380139112 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380173922 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380181074 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.380208969 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380243063 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380265951 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.380276918 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380312920 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380346060 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380346060 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.380383015 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:29.380389929 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:29.419126034 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:31.171605110 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:31.176475048 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176539898 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176551104 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176561117 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176573992 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:31.176589966 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:31.176626921 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:31.176642895 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176672935 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176723003 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176753044 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176779032 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.176791906 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.181677103 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.181778908 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.181936026 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.181965113 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.182013988 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.182043076 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.182071924 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.206355095 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:31.212084055 CEST5152549731185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:31.212148905 CEST4973151525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:52.906857014 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:52.909941912 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:17:52.914920092 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:18:22.919725895 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:18:22.921192884 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:18:22.926244974 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:18:52.924417973 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:18:52.929064989 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:18:52.933944941 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:19:16.724199057 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:17.067478895 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:17.770608902 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:19.068651915 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:21.569453001 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:22.929647923 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:19:22.931936026 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:19:22.936805010 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:19:26.473784924 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:36.270664930 CEST4973280192.168.2.4178.237.33.50
                                                                                                                          Oct 6, 2024 22:19:52.957665920 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:19:52.962450027 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:19:52.967299938 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:20:22.962080002 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:20:22.967406034 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:20:22.972304106 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:20:52.975317001 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:20:52.977504015 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:20:52.982891083 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:21:22.982938051 CEST5152549730185.236.203.101192.168.2.4
                                                                                                                          Oct 6, 2024 22:21:22.984497070 CEST4973051525192.168.2.4185.236.203.101
                                                                                                                          Oct 6, 2024 22:21:22.989321947 CEST5152549730185.236.203.101192.168.2.4

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 6, 2024 22:17:24.515163898 CEST5378153192.168.2.41.1.1.1
                                                                                                                          Oct 6, 2024 22:17:24.631596088 CEST53537811.1.1.1192.168.2.4
                                                                                                                          Oct 6, 2024 22:17:26.758948088 CEST6269053192.168.2.41.1.1.1
                                                                                                                          Oct 6, 2024 22:17:26.768286943 CEST53626901.1.1.1192.168.2.4

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Oct 6, 2024 22:17:24.515163898 CEST192.168.2.41.1.1.10x6ef3Standard query (0)dumboi.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                          Oct 6, 2024 22:17:26.758948088 CEST192.168.2.41.1.1.10x6353Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Oct 6, 2024 22:17:24.631596088 CEST1.1.1.1192.168.2.40x6ef3No error (0)dumboi.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                                                                                          Oct 6, 2024 22:17:26.768286943 CEST1.1.1.1192.168.2.40x6353No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • geoplugin.net

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.449732178.237.33.50804280C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 6, 2024 22:17:26.777571917 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                          Host: geoplugin.net
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Oct 6, 2024 22:17:27.386333942 CEST1170INHTTP/1.1 200 OK
                                                                                                                          date: Sun, 06 Oct 2024 20:17:27 GMT
                                                                                                                          server: Apache
                                                                                                                          content-length: 962
                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                          cache-control: public, max-age=300
                                                                                                                          access-control-allow-origin: *
                                                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:16:17:23
                                                                                                                          Start date:06/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:494'592 bytes
                                                                                                                          MD5 hash:C6A88078A75CF820171DDEC254F357F1
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4197887762.000000000229F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1752143583.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1819531077.0000000000501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4197649002.0000000000501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4197587553.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1819774254.0000000000501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:16:17:28
                                                                                                                          Start date:06/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\glwdcdfurqkkskz"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:494'592 bytes
                                                                                                                          MD5 hash:C6A88078A75CF820171DDEC254F357F1
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1802704807.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:16:17:28
                                                                                                                          Start date:06/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\injodopvfycxvqnxqc"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:494'592 bytes
                                                                                                                          MD5 hash:C6A88078A75CF820171DDEC254F357F1
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.1803008173.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:16:17:28
                                                                                                                          Start date:06/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\siogdgapbgucfwkbamoda"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:494'592 bytes
                                                                                                                          MD5 hash:C6A88078A75CF820171DDEC254F357F1
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.1803398428.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:4.8%
                                                                                                                            Dynamic/Decrypted Code Coverage:3.9%
                                                                                                                            Signature Coverage:19%
                                                                                                                            Total number of Nodes:1806
                                                                                                                            Total number of Limit Nodes:65
                                                                                                                            execution_graph 52311 415d41 52326 41b411 52311->52326 52313 415d4a 52337 4020f6 52313->52337 52318 4170c4 52361 401e8d 52318->52361 52322 401fd8 11 API calls 52323 4170d9 52322->52323 52324 401fd8 11 API calls 52323->52324 52325 4170e5 52324->52325 52367 4020df 52326->52367 52331 41b456 InternetReadFile 52332 41b479 52331->52332 52332->52331 52333 41b4a6 InternetCloseHandle InternetCloseHandle 52332->52333 52336 401fd8 11 API calls 52332->52336 52378 4020b7 52332->52378 52335 41b4b8 52333->52335 52335->52313 52336->52332 52338 40210c 52337->52338 52339 4023ce 11 API calls 52338->52339 52340 402126 52339->52340 52341 402569 28 API calls 52340->52341 52342 402134 52341->52342 52343 404aa1 52342->52343 52344 404ab4 52343->52344 52445 40520c 52344->52445 52346 404ac9 _Yarn 52347 404b40 WaitForSingleObject 52346->52347 52348 404b20 52346->52348 52350 404b56 52347->52350 52349 404b32 send 52348->52349 52351 404b7b 52349->52351 52451 4210cb 54 API calls 52350->52451 52353 401fd8 11 API calls 52351->52353 52355 404b83 52353->52355 52354 404b69 SetEvent 52354->52351 52356 401fd8 11 API calls 52355->52356 52357 404b8b 52356->52357 52357->52318 52358 401fd8 52357->52358 52359 4023ce 11 API calls 52358->52359 52360 401fe1 52359->52360 52360->52318 52362 402163 52361->52362 52366 40219f 52362->52366 52469 402730 11 API calls 52362->52469 52364 402184 52470 402712 11 API calls std::_Deallocate 52364->52470 52366->52322 52368 4020e7 52367->52368 52384 4023ce 52368->52384 52370 4020f2 52371 43bda0 52370->52371 52376 4461b8 __Getctype 52371->52376 52372 4461f6 52400 44062d 20 API calls __dosmaperr 52372->52400 52373 4461e1 RtlAllocateHeap 52375 41b42f InternetOpenW InternetOpenUrlW 52373->52375 52373->52376 52375->52331 52376->52372 52376->52373 52399 443001 7 API calls 2 library calls 52376->52399 52379 4020bf 52378->52379 52380 4023ce 11 API calls 52379->52380 52381 4020ca 52380->52381 52401 40250a 52381->52401 52383 4020d9 52383->52332 52385 402428 52384->52385 52386 4023d8 52384->52386 52385->52370 52386->52385 52388 4027a7 52386->52388 52389 402e21 52388->52389 52392 4016b4 52389->52392 52391 402e30 52391->52385 52393 4016cb 52392->52393 52397 4016c6 52392->52397 52394 4016f3 52393->52394 52393->52397 52394->52391 52396 43bd67 52398 43bd68 11 API calls _abort 52397->52398 52398->52396 52399->52376 52400->52375 52402 40251a 52401->52402 52403 402520 52402->52403 52404 402535 52402->52404 52408 402569 52403->52408 52418 4028e8 52404->52418 52407 402533 52407->52383 52429 402888 52408->52429 52410 40257d 52411 402592 52410->52411 52412 4025a7 52410->52412 52434 402a34 22 API calls 52411->52434 52414 4028e8 28 API calls 52412->52414 52417 4025a5 52414->52417 52415 40259b 52435 4029da 22 API calls 52415->52435 52417->52407 52419 4028f1 52418->52419 52420 402953 52419->52420 52421 4028fb 52419->52421 52443 4028a4 22 API calls 52420->52443 52424 402904 52421->52424 52425 402917 52421->52425 52437 402cae 52424->52437 52426 402915 52425->52426 52428 4023ce 11 API calls 52425->52428 52426->52407 52428->52426 52430 402890 52429->52430 52431 402898 52430->52431 52436 402ca3 22 API calls 52430->52436 52431->52410 52434->52415 52435->52417 52438 402cb8 __EH_prolog 52437->52438 52444 402e54 22 API calls 52438->52444 52440 4023ce 11 API calls 52442 402d92 52440->52442 52441 402d24 52441->52440 52442->52426 52444->52441 52446 405214 52445->52446 52447 4023ce 11 API calls 52446->52447 52448 40521f 52447->52448 52452 405234 52448->52452 52450 40522e 52450->52346 52451->52354 52453 405240 52452->52453 52454 40526e 52452->52454 52455 4028e8 28 API calls 52453->52455 52468 4028a4 22 API calls 52454->52468 52457 40524a 52455->52457 52457->52450 52469->52364 52470->52366 52471 426a77 52472 426a8c 52471->52472 52479 426b1e 52471->52479 52473 426bd5 52472->52473 52474 426ad9 52472->52474 52475 426b4e 52472->52475 52476 426bae 52472->52476 52472->52479 52481 426b83 52472->52481 52485 426b0e 52472->52485 52499 424f6e 49 API calls _Yarn 52472->52499 52473->52479 52504 4261e6 28 API calls 52473->52504 52474->52479 52474->52485 52500 41fbfd 52 API calls 52474->52500 52475->52479 52475->52481 52502 41fbfd 52 API calls 52475->52502 52476->52473 52476->52479 52487 425b72 52476->52487 52481->52476 52503 425781 21 API calls 52481->52503 52485->52475 52485->52479 52501 424f6e 49 API calls _Yarn 52485->52501 52488 425b91 ___scrt_get_show_window_mode 52487->52488 52490 425ba0 52488->52490 52493 425bc5 52488->52493 52505 41ec4c 21 API calls 52488->52505 52490->52493 52498 425ba5 52490->52498 52506 420669 46 API calls 52490->52506 52493->52473 52494 425bae 52494->52493 52513 424d96 21 API calls 2 library calls 52494->52513 52496 425c48 52496->52493 52507 432f55 52496->52507 52498->52493 52498->52494 52512 41daf0 49 API calls 52498->52512 52499->52474 52500->52474 52501->52475 52502->52475 52503->52476 52504->52479 52505->52490 52506->52496 52508 432f63 52507->52508 52511 432f5f 52507->52511 52509 43bda0 ___std_exception_copy 21 API calls 52508->52509 52510 432f68 52509->52510 52510->52498 52511->52498 52512->52494 52513->52493 52514 1000c7a7 52515 1000c7be 52514->52515 52519 1000c82c 52514->52519 52515->52519 52526 1000c7e6 GetModuleHandleA 52515->52526 52517 1000c872 52518 1000c835 GetModuleHandleA 52520 1000c83f 52518->52520 52519->52517 52519->52518 52519->52520 52520->52519 52521 1000c85f GetProcAddress 52520->52521 52521->52519 52522 1000c7dd 52522->52519 52522->52520 52523 1000c800 GetProcAddress 52522->52523 52523->52519 52524 1000c80d VirtualProtect 52523->52524 52524->52519 52525 1000c81c VirtualProtect 52524->52525 52525->52519 52527 1000c82c 52526->52527 52528 1000c7ef 52526->52528 52531 1000c872 52527->52531 52532 1000c835 GetModuleHandleA 52527->52532 52533 1000c83f 52527->52533 52538 1000c803 GetProcAddress 52528->52538 52530 1000c7f4 52530->52527 52534 1000c800 GetProcAddress 52530->52534 52532->52533 52533->52527 52533->52533 52537 1000c85f GetProcAddress 52533->52537 52534->52527 52535 1000c80d VirtualProtect 52534->52535 52535->52527 52536 1000c81c VirtualProtect 52535->52536 52536->52527 52537->52527 52539 1000c82c 52538->52539 52540 1000c80d VirtualProtect 52538->52540 52542 1000c872 52539->52542 52543 1000c835 GetModuleHandleA 52539->52543 52540->52539 52541 1000c81c VirtualProtect 52540->52541 52541->52539 52545 1000c83f 52543->52545 52544 1000c85f GetProcAddress 52544->52545 52545->52539 52545->52544 52546 4165db 52557 401e65 52546->52557 52548 4165eb 52549 4020f6 28 API calls 52548->52549 52550 4165f6 52549->52550 52551 401e65 22 API calls 52550->52551 52552 416601 52551->52552 52553 4020f6 28 API calls 52552->52553 52554 41660c 52553->52554 52562 412965 52554->52562 52558 401e6d 52557->52558 52560 401e75 52558->52560 52581 402158 22 API calls 52558->52581 52560->52548 52582 40482d 52562->52582 52564 412979 52589 4048c8 connect 52564->52589 52568 41299a 52654 402f10 52568->52654 52571 404aa1 61 API calls 52572 4129ae 52571->52572 52573 401fd8 11 API calls 52572->52573 52574 4129b6 52573->52574 52659 404c10 52574->52659 52577 401fd8 11 API calls 52578 4129cc 52577->52578 52579 401fd8 11 API calls 52578->52579 52580 4129d4 52579->52580 52583 404846 socket 52582->52583 52584 404839 52582->52584 52585 404860 CreateEventW 52583->52585 52586 404842 52583->52586 52677 40489e WSAStartup 52584->52677 52585->52564 52586->52564 52588 40483e 52588->52583 52588->52586 52590 404a1b 52589->52590 52591 4048ee 52589->52591 52592 404a21 WSAGetLastError 52590->52592 52642 40497e 52590->52642 52593 404923 52591->52593 52591->52642 52678 40531e 52591->52678 52594 404a31 52592->52594 52592->52642 52713 420cf1 27 API calls 52593->52713 52596 404932 52594->52596 52597 404a36 52594->52597 52602 402093 28 API calls 52596->52602 52718 41cb72 30 API calls 52597->52718 52599 40490f 52683 402093 52599->52683 52601 40492b 52601->52596 52605 404941 52601->52605 52606 404a80 52602->52606 52604 404a40 52719 4052fd 28 API calls 52604->52719 52612 404950 52605->52612 52613 404987 52605->52613 52609 402093 28 API calls 52606->52609 52614 404a8f 52609->52614 52616 402093 28 API calls 52612->52616 52715 421ad1 54 API calls 52613->52715 52617 41b580 80 API calls 52614->52617 52620 40495f 52616->52620 52617->52642 52626 402093 28 API calls 52620->52626 52621 40498f 52623 4049c4 52621->52623 52624 404994 52621->52624 52717 420e97 28 API calls 52623->52717 52627 402093 28 API calls 52624->52627 52629 40496e 52626->52629 52631 4049a3 52627->52631 52632 41b580 80 API calls 52629->52632 52634 402093 28 API calls 52631->52634 52647 404973 52632->52647 52633 4049cc 52635 4049f9 CreateEventW CreateEventW 52633->52635 52637 402093 28 API calls 52633->52637 52636 4049b2 52634->52636 52635->52642 52638 41b580 80 API calls 52636->52638 52640 4049e2 52637->52640 52641 4049b7 52638->52641 52643 402093 28 API calls 52640->52643 52716 421143 52 API calls 52641->52716 52649 402f31 52642->52649 52644 4049f1 52643->52644 52646 41b580 80 API calls 52644->52646 52648 4049f6 52646->52648 52714 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52647->52714 52648->52635 52650 4020df 11 API calls 52649->52650 52651 402f3d 52650->52651 52652 4032a0 28 API calls 52651->52652 52653 402f59 52652->52653 52653->52568 52770 401fb0 52654->52770 52656 402f1e 52657 402055 11 API calls 52656->52657 52658 402f2d 52657->52658 52658->52571 52660 4020df 11 API calls 52659->52660 52661 404c27 52660->52661 52662 4020df 11 API calls 52661->52662 52665 404c30 52662->52665 52663 43bda0 ___std_exception_copy 21 API calls 52663->52665 52665->52663 52666 4020b7 28 API calls 52665->52666 52668 404ca1 52665->52668 52670 401fd8 11 API calls 52665->52670 52773 404b96 52665->52773 52779 401fe2 52665->52779 52788 404cc3 52665->52788 52666->52665 52801 404e26 WaitForSingleObject 52668->52801 52670->52665 52672 401fd8 11 API calls 52673 404cb1 52672->52673 52674 401fd8 11 API calls 52673->52674 52675 404cba 52674->52675 52675->52577 52677->52588 52679 4020df 11 API calls 52678->52679 52680 40532a 52679->52680 52720 4032a0 52680->52720 52682 405346 52682->52599 52684 40209b 52683->52684 52685 4023ce 11 API calls 52684->52685 52686 4020a6 52685->52686 52724 4024ed 52686->52724 52689 41b580 52690 41b631 52689->52690 52691 41b596 GetLocalTime 52689->52691 52693 401fd8 11 API calls 52690->52693 52692 40531e 28 API calls 52691->52692 52694 41b5d8 52692->52694 52695 41b639 52693->52695 52728 406383 52694->52728 52697 401fd8 11 API calls 52695->52697 52699 41b641 52697->52699 52699->52593 52700 402f10 28 API calls 52701 41b5f0 52700->52701 52702 406383 28 API calls 52701->52702 52703 41b5fc 52702->52703 52733 40723b 77 API calls 52703->52733 52705 41b60a 52706 401fd8 11 API calls 52705->52706 52707 41b616 52706->52707 52708 401fd8 11 API calls 52707->52708 52709 41b61f 52708->52709 52710 401fd8 11 API calls 52709->52710 52711 41b628 52710->52711 52712 401fd8 11 API calls 52711->52712 52712->52690 52713->52601 52714->52642 52715->52621 52716->52647 52717->52633 52718->52604 52722 4032aa 52720->52722 52721 4032c9 52721->52682 52722->52721 52723 4028e8 28 API calls 52722->52723 52723->52721 52725 4024f9 52724->52725 52726 40250a 28 API calls 52725->52726 52727 4020b1 52726->52727 52727->52689 52734 4051ef 52728->52734 52730 406391 52738 402055 52730->52738 52733->52705 52735 4051fb 52734->52735 52744 405274 52735->52744 52737 405208 52737->52730 52739 402061 52738->52739 52740 4023ce 11 API calls 52739->52740 52741 40207b 52740->52741 52766 40267a 52741->52766 52745 405282 52744->52745 52746 40529e 52745->52746 52747 405288 52745->52747 52749 4052f5 52746->52749 52750 4052b6 52746->52750 52755 4025f0 52747->52755 52764 4028a4 22 API calls 52749->52764 52753 4028e8 28 API calls 52750->52753 52754 40529c 52750->52754 52753->52754 52754->52737 52756 402888 22 API calls 52755->52756 52757 402602 52756->52757 52758 402672 52757->52758 52759 402629 52757->52759 52765 4028a4 22 API calls 52758->52765 52762 4028e8 28 API calls 52759->52762 52763 40263b 52759->52763 52762->52763 52763->52754 52767 40268b 52766->52767 52768 4023ce 11 API calls 52767->52768 52769 40208d 52768->52769 52769->52700 52771 4025f0 28 API calls 52770->52771 52772 401fbd 52771->52772 52772->52656 52774 404ba0 WaitForSingleObject 52773->52774 52775 404bcd recv 52773->52775 52814 421107 54 API calls 52774->52814 52777 404be0 52775->52777 52777->52665 52778 404bbc SetEvent 52778->52777 52780 401ff1 52779->52780 52781 402039 52779->52781 52782 4023ce 11 API calls 52780->52782 52781->52665 52783 401ffa 52782->52783 52784 40203c 52783->52784 52785 402015 52783->52785 52786 40267a 11 API calls 52784->52786 52815 403098 28 API calls 52785->52815 52786->52781 52789 4020df 11 API calls 52788->52789 52790 404cde 52789->52790 52791 404e13 52790->52791 52794 4041a2 28 API calls 52790->52794 52795 401fe2 28 API calls 52790->52795 52796 401fd8 11 API calls 52790->52796 52797 4020f6 28 API calls 52790->52797 52816 4129da 52790->52816 52860 401fc0 52790->52860 52792 401fd8 11 API calls 52791->52792 52793 404e1c 52792->52793 52793->52665 52794->52790 52795->52790 52796->52790 52797->52790 52802 404e40 SetEvent CloseHandle 52801->52802 52803 404e57 closesocket 52801->52803 52804 404ca8 52802->52804 52805 404e64 52803->52805 52804->52672 52806 404e7a 52805->52806 53387 4050e4 84 API calls 52805->53387 52808 404e8c WaitForSingleObject 52806->52808 52809 404ece SetEvent CloseHandle 52806->52809 53388 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52808->53388 52809->52804 52811 404e9b SetEvent WaitForSingleObject 53389 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52811->53389 52813 404eb3 SetEvent CloseHandle CloseHandle 52813->52809 52814->52778 52815->52781 52817 4129ec 52816->52817 52864 4041a2 52817->52864 52820 4020f6 28 API calls 52821 412a0e 52820->52821 52822 4020f6 28 API calls 52821->52822 52823 412a1d 52822->52823 52867 41beac 52823->52867 52826 412ace 52828 401e8d 11 API calls 52826->52828 52827 401e65 22 API calls 52829 412a3d 52827->52829 52830 412ad7 52828->52830 52832 4020f6 28 API calls 52829->52832 52831 401fd8 11 API calls 52830->52831 52833 412ae0 52831->52833 52834 412a48 52832->52834 52835 401fd8 11 API calls 52833->52835 52836 401e65 22 API calls 52834->52836 52837 412ae8 52835->52837 52838 412a53 52836->52838 52837->52790 52839 4020f6 28 API calls 52838->52839 52840 412a5e 52839->52840 52841 401e65 22 API calls 52840->52841 52842 412a69 52841->52842 52843 4020f6 28 API calls 52842->52843 52844 412a74 52843->52844 52845 401e65 22 API calls 52844->52845 52846 412a7f 52845->52846 52847 4020f6 28 API calls 52846->52847 52848 412a8a 52847->52848 52849 401e65 22 API calls 52848->52849 52850 412a95 52849->52850 52851 4020f6 28 API calls 52850->52851 52852 412aa0 52851->52852 52853 401e65 22 API calls 52852->52853 52854 412aae 52853->52854 52855 4020f6 28 API calls 52854->52855 52856 412ab9 52855->52856 52889 412aef GetModuleFileNameW 52856->52889 52859 404e26 99 API calls 52859->52826 52861 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 52860->52861 52862 401fc9 52860->52862 52861->52790 53243 415b25 52861->53243 53242 4025e0 28 API calls 52862->53242 53036 40423a 52864->53036 52868 4020df 11 API calls 52867->52868 52869 41bebf 52868->52869 52873 41bf31 52869->52873 52876 4041a2 28 API calls 52869->52876 52881 401fe2 28 API calls 52869->52881 52883 401fd8 11 API calls 52869->52883 52888 41bf2f 52869->52888 53042 41cec5 28 API calls 52869->53042 52870 401fd8 11 API calls 52871 41bf61 52870->52871 52872 401fd8 11 API calls 52871->52872 52874 41bf69 52872->52874 52875 4041a2 28 API calls 52873->52875 52877 401fd8 11 API calls 52874->52877 52878 41bf3d 52875->52878 52876->52869 52879 412a26 52877->52879 52880 401fe2 28 API calls 52878->52880 52879->52826 52879->52827 52882 41bf46 52880->52882 52881->52869 52884 401fd8 11 API calls 52882->52884 52883->52869 52885 41bf4e 52884->52885 53043 41cec5 28 API calls 52885->53043 52888->52870 52890 4020df 11 API calls 52889->52890 52891 412b1a 52890->52891 52892 4020df 11 API calls 52891->52892 52893 412b26 52892->52893 52894 4020df 11 API calls 52893->52894 52898 412b32 52894->52898 52895 41ba09 43 API calls 52895->52898 52896 40da23 32 API calls 52896->52898 52897 401fd8 11 API calls 52897->52898 52898->52895 52898->52896 52898->52897 52899 40417e 28 API calls 52898->52899 52900 4042fc 79 API calls 52898->52900 52901 40431d 28 API calls 52898->52901 52902 412c58 Sleep 52898->52902 52903 403014 28 API calls 52898->52903 52904 4185a3 31 API calls 52898->52904 52905 412cfa Sleep 52898->52905 52906 401f09 11 API calls 52898->52906 52907 412d9c Sleep 52898->52907 52908 412dff DeleteFileW 52898->52908 52909 41c516 32 API calls 52898->52909 52910 412e36 DeleteFileW 52898->52910 52911 412e88 Sleep 52898->52911 52912 412e72 DeleteFileW 52898->52912 52913 412f01 52898->52913 52920 412ecd Sleep 52898->52920 52899->52898 52900->52898 52901->52898 52902->52898 52903->52898 52904->52898 52905->52898 52906->52898 52907->52898 52908->52898 52909->52898 52910->52898 52911->52898 52912->52898 52914 401f09 11 API calls 52913->52914 52915 412f0d 52914->52915 52916 401f09 11 API calls 52915->52916 52917 412f19 52916->52917 52918 401f09 11 API calls 52917->52918 52919 412f25 52918->52919 53044 40b93f 52919->53044 53062 401f09 52920->53062 52923 412f38 52924 4020f6 28 API calls 52923->52924 52926 412f58 52924->52926 52925 401f09 11 API calls 52927 412edd 52925->52927 53050 413268 52926->53050 52927->52898 52927->52925 52929 412eff 52927->52929 52929->52919 52931 401f09 11 API calls 52932 412f6f 52931->52932 52933 4130e3 52932->52933 52934 412f8f 52932->52934 52935 41bdaf 28 API calls 52933->52935 53065 41bdaf 52934->53065 52937 4130ec 52935->52937 52939 402f31 28 API calls 52937->52939 52941 413123 52939->52941 52943 402f10 28 API calls 52941->52943 52945 413132 52943->52945 52944 402f31 28 API calls 52946 412fe5 52944->52946 52947 402f10 28 API calls 52945->52947 52948 402f10 28 API calls 52946->52948 52949 41313e 52947->52949 52950 412ff4 52948->52950 52951 402f10 28 API calls 52949->52951 52952 402f10 28 API calls 52950->52952 52953 41314d 52951->52953 52954 413003 52952->52954 52955 402f10 28 API calls 52953->52955 52956 402f10 28 API calls 52954->52956 52957 41315c 52955->52957 52958 413012 52956->52958 52960 402f10 28 API calls 52957->52960 52959 402f10 28 API calls 52958->52959 52962 413021 52959->52962 52961 41316b 52960->52961 52963 402f10 28 API calls 52961->52963 52964 402f10 28 API calls 52962->52964 52965 41317a 52963->52965 52966 41302d 52964->52966 53076 402ea1 28 API calls 52965->53076 52968 402f10 28 API calls 52966->52968 52970 413039 52968->52970 52969 413184 52971 404aa1 61 API calls 52969->52971 53074 402ea1 28 API calls 52970->53074 52973 413191 52971->52973 52975 401fd8 11 API calls 52973->52975 52974 413048 52976 402f10 28 API calls 52974->52976 52977 41319d 52975->52977 52978 413054 52976->52978 52979 401fd8 11 API calls 52977->52979 53075 402ea1 28 API calls 52978->53075 52981 4131a9 52979->52981 52983 401fd8 11 API calls 52981->52983 52982 41305e 52984 404aa1 61 API calls 52982->52984 52985 4131b5 52983->52985 52986 41306b 52984->52986 52987 401fd8 11 API calls 52985->52987 52988 401fd8 11 API calls 52986->52988 52989 4131c1 52987->52989 52990 413074 52988->52990 52992 401fd8 11 API calls 52989->52992 52991 401fd8 11 API calls 52990->52991 52994 41307d 52991->52994 52993 4131ca 52992->52993 52995 401fd8 11 API calls 52993->52995 52996 401fd8 11 API calls 52994->52996 52997 4131d3 52995->52997 52998 413086 52996->52998 52999 401fd8 11 API calls 52997->52999 53000 401fd8 11 API calls 52998->53000 53001 4130d7 52999->53001 53002 41308f 53000->53002 53004 401fd8 11 API calls 53001->53004 53003 401fd8 11 API calls 53002->53003 53005 41309b 53003->53005 53006 4131e5 53004->53006 53007 401fd8 11 API calls 53005->53007 53008 401f09 11 API calls 53006->53008 53009 4130a7 53007->53009 53010 4131f1 53008->53010 53011 401fd8 11 API calls 53009->53011 53012 401fd8 11 API calls 53010->53012 53013 4130b3 53011->53013 53014 4131fd 53012->53014 53015 401fd8 11 API calls 53013->53015 53016 401fd8 11 API calls 53014->53016 53017 4130bf 53015->53017 53018 413209 53016->53018 53019 401fd8 11 API calls 53017->53019 53020 401fd8 11 API calls 53018->53020 53021 4130cb 53019->53021 53023 413215 53020->53023 53022 401fd8 11 API calls 53021->53022 53022->53001 53024 401fd8 11 API calls 53023->53024 53025 413221 53024->53025 53026 401fd8 11 API calls 53025->53026 53027 41322d 53026->53027 53028 401fd8 11 API calls 53027->53028 53029 413239 53028->53029 53030 401fd8 11 API calls 53029->53030 53031 413245 53030->53031 53032 401fd8 11 API calls 53031->53032 53033 413251 53032->53033 53034 401fd8 11 API calls 53033->53034 53035 412abe 53034->53035 53035->52859 53037 404243 53036->53037 53038 4023ce 11 API calls 53037->53038 53039 40424e 53038->53039 53040 402569 28 API calls 53039->53040 53041 4041b5 53040->53041 53041->52820 53042->52869 53043->52888 53045 40b947 53044->53045 53077 402252 53045->53077 53047 40b952 53081 40b967 53047->53081 53049 40b961 53049->52923 53052 413277 53050->53052 53060 4132a6 53050->53060 53051 4132b5 53111 40417e 53051->53111 53107 411d2d 53052->53107 53057 401fd8 11 API calls 53059 412f63 53057->53059 53059->52931 53060->53051 53103 10001c5b 53060->53103 53063 402252 11 API calls 53062->53063 53064 401f12 53063->53064 53064->52927 53066 41bdbc 53065->53066 53067 4020b7 28 API calls 53066->53067 53068 412f9b 53067->53068 53069 41bc1f 53068->53069 53233 441ed1 53069->53233 53072 402093 28 API calls 53073 412fb5 53072->53073 53073->52944 53074->52974 53075->52982 53076->52969 53078 40225c 53077->53078 53079 4022ac 53077->53079 53078->53079 53088 402779 11 API calls std::_Deallocate 53078->53088 53079->53047 53082 40b9a1 53081->53082 53083 40b973 53081->53083 53100 4028a4 22 API calls 53082->53100 53089 4027e6 53083->53089 53087 40b97d 53087->53049 53088->53079 53090 4027ef 53089->53090 53091 402851 53090->53091 53092 4027f9 53090->53092 53102 4028a4 22 API calls 53091->53102 53095 402802 53092->53095 53096 402815 53092->53096 53101 402aea 28 API calls __EH_prolog 53095->53101 53097 402813 53096->53097 53099 402252 11 API calls 53096->53099 53097->53087 53099->53097 53101->53097 53104 10001c6b ___scrt_fastfail 53103->53104 53117 100012ee 53104->53117 53106 10001c87 53106->53051 53159 411d39 53107->53159 53110 411fa2 22 API calls ___std_exception_copy 53110->53060 53112 404186 53111->53112 53113 402252 11 API calls 53112->53113 53114 404191 53113->53114 53212 4041bc 53114->53212 53118 10001324 ___scrt_fastfail 53117->53118 53119 100013b7 GetEnvironmentVariableW 53118->53119 53143 100010f1 53119->53143 53122 100010f1 57 API calls 53123 10001465 53122->53123 53124 100010f1 57 API calls 53123->53124 53125 10001479 53124->53125 53126 100010f1 57 API calls 53125->53126 53127 1000148d 53126->53127 53128 100010f1 57 API calls 53127->53128 53129 100014a1 53128->53129 53130 100010f1 57 API calls 53129->53130 53131 100014b5 lstrlenW 53130->53131 53132 100014d2 53131->53132 53133 100014d9 lstrlenW 53131->53133 53132->53106 53134 100010f1 57 API calls 53133->53134 53135 10001501 lstrlenW lstrcatW 53134->53135 53136 100010f1 57 API calls 53135->53136 53137 10001539 lstrlenW lstrcatW 53136->53137 53138 100010f1 57 API calls 53137->53138 53139 1000156b lstrlenW lstrcatW 53138->53139 53140 100010f1 57 API calls 53139->53140 53141 1000159d lstrlenW lstrcatW 53140->53141 53142 100010f1 57 API calls 53141->53142 53142->53132 53144 10001118 ___scrt_fastfail 53143->53144 53145 10001129 lstrlenW 53144->53145 53156 10002c40 53145->53156 53148 10001177 lstrlenW FindFirstFileW 53150 100011a0 53148->53150 53151 100011e1 53148->53151 53149 10001168 lstrlenW 53149->53148 53152 100011c7 FindNextFileW 53150->53152 53153 100011aa 53150->53153 53151->53122 53152->53150 53155 100011da FindClose 53152->53155 53153->53152 53158 10001000 57 API calls ___scrt_fastfail 53153->53158 53155->53151 53157 10001148 lstrcatW lstrlenW 53156->53157 53157->53148 53157->53149 53158->53153 53192 4117d7 53159->53192 53161 411d57 53162 411d6d SetLastError 53161->53162 53163 4117d7 SetLastError 53161->53163 53171 411d35 53161->53171 53162->53171 53164 411d8a 53163->53164 53164->53162 53166 411dac GetNativeSystemInfo 53164->53166 53164->53171 53167 411df2 53166->53167 53168 411dff SetLastError 53167->53168 53195 411cde VirtualAlloc 53167->53195 53168->53171 53171->53110 53172 411e22 53173 411e47 GetProcessHeap HeapAlloc 53172->53173 53205 411cde VirtualAlloc 53172->53205 53174 411e70 53173->53174 53175 411e5e 53173->53175 53178 4117d7 SetLastError 53174->53178 53206 411cf5 VirtualFree 53175->53206 53180 411eb9 53178->53180 53179 411e3a 53179->53168 53179->53173 53181 411f6b 53180->53181 53196 411cde VirtualAlloc 53180->53196 53207 4120b2 GetProcessHeap HeapFree 53181->53207 53184 411ed2 _Yarn 53197 4117ea SetLastError _Yarn ___scrt_get_show_window_mode 53184->53197 53186 411efe 53186->53181 53198 411b9a 26 API calls 53186->53198 53188 411f2b 53188->53181 53199 41198a 53188->53199 53190 411f36 53190->53171 53190->53181 53191 411f60 SetLastError 53190->53191 53191->53181 53193 4117e6 53192->53193 53194 4117db SetLastError 53192->53194 53193->53161 53194->53161 53195->53172 53196->53184 53197->53186 53198->53188 53203 4119b0 53199->53203 53200 411a99 53201 4118ed VirtualProtect 53200->53201 53202 411aab 53201->53202 53202->53190 53203->53200 53203->53202 53208 4118ed 53203->53208 53205->53179 53206->53168 53207->53171 53209 4118fe 53208->53209 53211 4118f6 53208->53211 53210 411971 VirtualProtect 53209->53210 53209->53211 53210->53211 53211->53203 53213 4041c8 53212->53213 53216 4041d9 53213->53216 53215 40419c 53215->53057 53217 4041e9 53216->53217 53218 404206 53217->53218 53219 4041ef 53217->53219 53220 4027e6 28 API calls 53218->53220 53223 404267 53219->53223 53222 404204 53220->53222 53222->53215 53224 402888 22 API calls 53223->53224 53225 40427b 53224->53225 53226 404290 53225->53226 53227 4042a5 53225->53227 53229 4042df 22 API calls 53226->53229 53228 4027e6 28 API calls 53227->53228 53232 4042a3 53228->53232 53230 404299 53229->53230 53231 402c48 22 API calls 53230->53231 53231->53232 53232->53222 53234 441edd 53233->53234 53237 441ccd 53234->53237 53236 41bc43 53236->53072 53238 441ce4 53237->53238 53240 441d1b __cftoe 53238->53240 53241 44062d 20 API calls __dosmaperr 53238->53241 53240->53236 53241->53240 53242->52861 53244 4020f6 28 API calls 53243->53244 53245 415b47 SetEvent 53244->53245 53246 415b5c 53245->53246 53247 4041a2 28 API calls 53246->53247 53248 415b76 53247->53248 53249 4020f6 28 API calls 53248->53249 53250 415b86 53249->53250 53251 4020f6 28 API calls 53250->53251 53252 415b98 53251->53252 53253 41beac 28 API calls 53252->53253 53254 415ba1 53253->53254 53256 415bc1 GetTickCount 53254->53256 53257 415d20 53254->53257 53320 415d11 53254->53320 53255 401e8d 11 API calls 53258 4170cd 53255->53258 53259 41bc1f 28 API calls 53256->53259 53257->53320 53321 415d34 53257->53321 53262 401fd8 11 API calls 53258->53262 53260 415bd2 53259->53260 53322 41bb77 GetLastInputInfo GetTickCount 53260->53322 53264 4170d9 53262->53264 53266 401fd8 11 API calls 53264->53266 53265 415bde 53267 41bc1f 28 API calls 53265->53267 53268 4170e5 53266->53268 53269 415be9 53267->53269 53323 41bb27 53269->53323 53272 41bdaf 28 API calls 53273 415c05 53272->53273 53274 401e65 22 API calls 53273->53274 53275 415c13 53274->53275 53276 402f31 28 API calls 53275->53276 53277 415c21 53276->53277 53328 402ea1 28 API calls 53277->53328 53279 415c30 53280 402f10 28 API calls 53279->53280 53281 415c3f 53280->53281 53329 402ea1 28 API calls 53281->53329 53283 415c4e 53284 402f10 28 API calls 53283->53284 53285 415c5a 53284->53285 53330 402ea1 28 API calls 53285->53330 53287 415c64 53288 404aa1 61 API calls 53287->53288 53289 415c73 53288->53289 53290 401fd8 11 API calls 53289->53290 53291 415c7c 53290->53291 53292 401fd8 11 API calls 53291->53292 53293 415c88 53292->53293 53294 401fd8 11 API calls 53293->53294 53295 415c94 53294->53295 53296 401fd8 11 API calls 53295->53296 53297 415ca0 53296->53297 53298 401fd8 11 API calls 53297->53298 53299 415cac 53298->53299 53300 401fd8 11 API calls 53299->53300 53301 415cb8 53300->53301 53302 401f09 11 API calls 53301->53302 53303 415cc1 53302->53303 53304 401fd8 11 API calls 53303->53304 53305 415cca 53304->53305 53306 401fd8 11 API calls 53305->53306 53307 415cd3 53306->53307 53308 401e65 22 API calls 53307->53308 53309 415cde 53308->53309 53331 43bb2c 53309->53331 53312 415cf0 53315 415d09 53312->53315 53316 415cfe 53312->53316 53313 415d16 53314 401e65 22 API calls 53313->53314 53314->53257 53336 404f51 53315->53336 53335 404ff4 82 API calls 53316->53335 53319 415d04 53319->53320 53320->53255 53351 4050e4 84 API calls 53321->53351 53322->53265 53352 436f10 53323->53352 53326 40417e 28 API calls 53327 415bf7 53326->53327 53327->53272 53328->53279 53329->53283 53330->53287 53332 43bb45 _swprintf 53331->53332 53354 43ae83 53332->53354 53334 415ceb 53334->53312 53334->53313 53335->53319 53337 404f65 53336->53337 53338 404fea 53336->53338 53339 404f6e 53337->53339 53340 404fc0 CreateEventA CreateThread 53337->53340 53341 404f7d GetLocalTime 53337->53341 53338->53320 53339->53340 53340->53338 53383 405150 53340->53383 53342 41bc1f 28 API calls 53341->53342 53343 404f91 53342->53343 53382 4052fd 28 API calls 53343->53382 53351->53319 53353 41bb46 GetForegroundWindow GetWindowTextW 53352->53353 53353->53326 53370 43ba8a 53354->53370 53356 43aed0 53376 43a837 36 API calls 3 library calls 53356->53376 53358 43ae95 53358->53356 53359 43aeaa 53358->53359 53369 43aeaf __cftoe 53358->53369 53375 44062d 20 API calls __dosmaperr 53359->53375 53362 43aedc 53364 43af0b 53362->53364 53377 43bacf 40 API calls __Toupper 53362->53377 53366 43af77 53364->53366 53378 43ba36 20 API calls 2 library calls 53364->53378 53379 43ba36 20 API calls 2 library calls 53366->53379 53367 43b03e _swprintf 53367->53369 53380 44062d 20 API calls __dosmaperr 53367->53380 53369->53334 53371 43baa2 53370->53371 53372 43ba8f 53370->53372 53371->53358 53381 44062d 20 API calls __dosmaperr 53372->53381 53374 43ba94 __cftoe 53374->53358 53375->53369 53376->53362 53377->53362 53378->53366 53379->53367 53380->53369 53381->53374 53386 40515c 102 API calls 53383->53386 53385 405159 53386->53385 53387->52806 53388->52811 53389->52813 53390 43bea8 53393 43beb4 _swprintf ___BuildCatchObject 53390->53393 53391 43bec2 53406 44062d 20 API calls __dosmaperr 53391->53406 53393->53391 53394 43beec 53393->53394 53401 445909 EnterCriticalSection 53394->53401 53396 43bef7 53402 43bf98 53396->53402 53398 43bec7 ___BuildCatchObject __cftoe 53401->53396 53403 43bfa6 53402->53403 53405 43bf02 53403->53405 53408 4497ec 37 API calls 2 library calls 53403->53408 53407 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53405->53407 53406->53398 53407->53398 53408->53403 53409 434918 53410 434924 ___BuildCatchObject 53409->53410 53436 434627 53410->53436 53412 43492b 53414 434954 53412->53414 53734 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 53412->53734 53419 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 53414->53419 53735 4442d2 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 53414->53735 53416 43496d 53418 434973 ___BuildCatchObject 53416->53418 53736 444276 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 53416->53736 53420 4349f3 53419->53420 53737 443487 36 API calls 5 library calls 53419->53737 53447 434ba5 53420->53447 53429 434a15 53430 434a1f 53429->53430 53739 4434bf 28 API calls _abort 53429->53739 53432 434a28 53430->53432 53740 443462 28 API calls _abort 53430->53740 53741 43479e 13 API calls 2 library calls 53432->53741 53435 434a30 53435->53418 53437 434630 53436->53437 53742 434cb6 IsProcessorFeaturePresent 53437->53742 53439 43463c 53743 438fb1 10 API calls 4 library calls 53439->53743 53441 434641 53446 434645 53441->53446 53744 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53441->53744 53443 43464e 53444 43465c 53443->53444 53745 438fda 8 API calls 3 library calls 53443->53745 53444->53412 53446->53412 53448 436f10 ___scrt_get_show_window_mode 53447->53448 53449 434bb8 GetStartupInfoW 53448->53449 53450 4349f9 53449->53450 53451 444223 53450->53451 53746 44f0d9 53451->53746 53453 434a02 53456 40ea00 53453->53456 53454 44422c 53454->53453 53750 446895 36 API calls 53454->53750 53752 41cbe1 LoadLibraryA GetProcAddress 53456->53752 53458 40ea1c GetModuleFileNameW 53757 40f3fe 53458->53757 53460 40ea38 53461 4020f6 28 API calls 53460->53461 53462 40ea47 53461->53462 53463 4020f6 28 API calls 53462->53463 53464 40ea56 53463->53464 53465 41beac 28 API calls 53464->53465 53466 40ea5f 53465->53466 53772 40fb52 53466->53772 53468 40ea68 53469 401e8d 11 API calls 53468->53469 53470 40ea71 53469->53470 53471 40ea84 53470->53471 53472 40eace 53470->53472 53966 40fbee 97 API calls 53471->53966 53473 401e65 22 API calls 53472->53473 53476 40eade 53473->53476 53475 40ea96 53477 401e65 22 API calls 53475->53477 53479 401e65 22 API calls 53476->53479 53478 40eaa2 53477->53478 53967 410f72 36 API calls __EH_prolog 53478->53967 53480 40eafd 53479->53480 53481 40531e 28 API calls 53480->53481 53483 40eb0c 53481->53483 53485 406383 28 API calls 53483->53485 53484 40eab4 53968 40fb9f 78 API calls 53484->53968 53487 40eb18 53485->53487 53489 401fe2 28 API calls 53487->53489 53488 40eabd 53969 40f3eb 71 API calls 53488->53969 53491 40eb24 53489->53491 53492 401fd8 11 API calls 53491->53492 53493 40eb2d 53492->53493 53495 401fd8 11 API calls 53493->53495 53494 401fd8 11 API calls 53496 40ef36 53494->53496 53497 40eb36 53495->53497 53738 443396 GetModuleHandleW 53496->53738 53498 401e65 22 API calls 53497->53498 53499 40eb3f 53498->53499 53500 401fc0 28 API calls 53499->53500 53501 40eb4a 53500->53501 53502 401e65 22 API calls 53501->53502 53503 40eb63 53502->53503 53504 401e65 22 API calls 53503->53504 53505 40eb7e 53504->53505 53506 40ebe9 53505->53506 53970 406c59 53505->53970 53507 401e65 22 API calls 53506->53507 53512 40ebf6 53507->53512 53509 40ebab 53510 401fe2 28 API calls 53509->53510 53511 40ebb7 53510->53511 53514 401fd8 11 API calls 53511->53514 53513 40ec3d 53512->53513 53519 413584 3 API calls 53512->53519 53776 40d0a4 53513->53776 53515 40ebc0 53514->53515 53975 413584 RegOpenKeyExA 53515->53975 53517 40ec43 53518 40eac6 53517->53518 53779 41b354 53517->53779 53518->53494 53525 40ec21 53519->53525 53523 40f38a 54068 4139e4 30 API calls 53523->54068 53524 40ec5e 53527 40ecb1 53524->53527 53796 407751 53524->53796 53525->53513 53978 4139e4 30 API calls 53525->53978 53528 401e65 22 API calls 53527->53528 53531 40ecba 53528->53531 53540 40ecc6 53531->53540 53541 40eccb 53531->53541 53533 40f3a0 54069 4124b0 65 API calls ___scrt_get_show_window_mode 53533->54069 53534 40ec87 53538 401e65 22 API calls 53534->53538 53535 40ec7d 53979 407773 30 API calls 53535->53979 53550 40ec90 53538->53550 53539 40f3aa 53543 41bcef 28 API calls 53539->53543 53982 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 53540->53982 53546 401e65 22 API calls 53541->53546 53542 40ec82 53980 40729b 98 API calls 53542->53980 53547 40f3ba 53543->53547 53548 40ecd4 53546->53548 53868 413a5e RegOpenKeyExW 53547->53868 53800 41bcef 53548->53800 53550->53527 53553 40ecac 53550->53553 53552 40ecdf 53804 401f13 53552->53804 53981 40729b 98 API calls 53553->53981 53557 401f09 11 API calls 53560 40f3d7 53557->53560 53559 401f09 11 API calls 53561 40ecf3 53559->53561 53562 401f09 11 API calls 53560->53562 53563 401e65 22 API calls 53561->53563 53564 40f3e0 53562->53564 53565 40ecfc 53563->53565 53871 40dd7d 53564->53871 53569 401e65 22 API calls 53565->53569 53571 40ed16 53569->53571 53570 40f3ea 53572 401e65 22 API calls 53571->53572 53573 40ed30 53572->53573 53574 401e65 22 API calls 53573->53574 53575 40ed49 53574->53575 53576 40edb6 53575->53576 53577 401e65 22 API calls 53575->53577 53578 40edc5 53576->53578 53583 40ef41 ___scrt_get_show_window_mode 53576->53583 53582 40ed5e _wcslen 53577->53582 53579 40edce 53578->53579 53607 40ee4a ___scrt_get_show_window_mode 53578->53607 53580 401e65 22 API calls 53579->53580 53581 40edd7 53580->53581 53584 401e65 22 API calls 53581->53584 53582->53576 53586 401e65 22 API calls 53582->53586 54043 413733 RegOpenKeyExA 53583->54043 53585 40ede9 53584->53585 53589 401e65 22 API calls 53585->53589 53587 40ed79 53586->53587 53591 401e65 22 API calls 53587->53591 53590 40edfb 53589->53590 53594 401e65 22 API calls 53590->53594 53592 40ed8e 53591->53592 53983 40da6f 53592->53983 53593 40ef8c 53595 401e65 22 API calls 53593->53595 53597 40ee24 53594->53597 53598 40efb1 53595->53598 53602 401e65 22 API calls 53597->53602 53603 402093 28 API calls 53598->53603 53600 401f13 28 API calls 53601 40edad 53600->53601 53605 401f09 11 API calls 53601->53605 53606 40ee35 53602->53606 53604 40efc3 53603->53604 53823 4137aa RegCreateKeyA 53604->53823 53605->53576 54041 40ce34 46 API calls _wcslen 53606->54041 53813 413982 53607->53813 53611 40ee45 53611->53607 53613 40eede ctype 53616 401e65 22 API calls 53613->53616 53614 401e65 22 API calls 53615 40efe5 53614->53615 53618 43bb2c 40 API calls 53615->53618 53617 40eef5 53616->53617 53617->53593 53620 40ef09 53617->53620 53619 40eff2 53618->53619 53621 40effc 53619->53621 53622 40f01f 53619->53622 53623 401e65 22 API calls 53620->53623 54046 41ce2c 88 API calls ___scrt_get_show_window_mode 53621->54046 53626 402093 28 API calls 53622->53626 53624 40ef12 53623->53624 53627 41bcef 28 API calls 53624->53627 53629 40f034 53626->53629 53630 40ef1e 53627->53630 53628 40f003 CreateThread 53628->53622 54527 41d4ee 10 API calls 53628->54527 53631 402093 28 API calls 53629->53631 54042 40f4af 114 API calls 53630->54042 53633 40f043 53631->53633 53635 41b580 80 API calls 53633->53635 53634 40ef23 53634->53593 53636 40ef2a 53634->53636 53637 40f048 53635->53637 53636->53518 53638 401e65 22 API calls 53637->53638 53639 40f054 53638->53639 53640 401e65 22 API calls 53639->53640 53641 40f066 53640->53641 53642 401e65 22 API calls 53641->53642 53643 40f086 53642->53643 53644 43bb2c 40 API calls 53643->53644 53645 40f093 53644->53645 53646 401e65 22 API calls 53645->53646 53647 40f09e 53646->53647 53648 401e65 22 API calls 53647->53648 53649 40f0af 53648->53649 53650 401e65 22 API calls 53649->53650 53651 40f0c4 53650->53651 53652 401e65 22 API calls 53651->53652 53653 40f0d5 53652->53653 53654 40f0dc StrToIntA 53653->53654 53829 409e1f 53654->53829 53657 401e65 22 API calls 53658 40f0f7 53657->53658 53659 40f103 53658->53659 53660 40f13c 53658->53660 54047 43455e 53659->54047 53662 401e65 22 API calls 53660->53662 53665 40f14c 53662->53665 53664 401e65 22 API calls 53666 40f11f 53664->53666 53668 40f194 53665->53668 53669 40f158 53665->53669 53667 40f126 CreateThread 53666->53667 53667->53660 54524 41a045 110 API calls __EH_prolog 53667->54524 53670 401e65 22 API calls 53668->53670 53671 43455e new 22 API calls 53669->53671 53672 40f19d 53670->53672 53673 40f161 53671->53673 53676 40f207 53672->53676 53677 40f1a9 53672->53677 53674 401e65 22 API calls 53673->53674 53675 40f173 53674->53675 53678 40f17a CreateThread 53675->53678 53679 401e65 22 API calls 53676->53679 53680 401e65 22 API calls 53677->53680 53678->53668 54529 41a045 110 API calls __EH_prolog 53678->54529 53681 40f210 53679->53681 53682 40f1b9 53680->53682 53683 40f255 53681->53683 53684 40f21c 53681->53684 53685 401e65 22 API calls 53682->53685 53854 41b69e GetComputerNameExW GetUserNameW 53683->53854 53687 401e65 22 API calls 53684->53687 53688 40f1ce 53685->53688 53690 40f225 53687->53690 54054 40da23 53688->54054 53696 401e65 22 API calls 53690->53696 53691 401f13 28 API calls 53692 40f269 53691->53692 53695 401f09 11 API calls 53692->53695 53699 40f272 53695->53699 53697 40f23a 53696->53697 53708 43bb2c 40 API calls 53697->53708 53698 401f13 28 API calls 53700 40f1ed 53698->53700 53701 40f27b SetProcessDEPPolicy 53699->53701 53702 40f27e CreateThread 53699->53702 53703 401f09 11 API calls 53700->53703 53701->53702 53704 40f293 CreateThread 53702->53704 53705 40f29f 53702->53705 54497 40f7e2 53702->54497 53709 40f1f6 CreateThread 53703->53709 53704->53705 54525 412132 146 API calls 53704->54525 53706 40f2b4 53705->53706 53707 40f2a8 CreateThread 53705->53707 53711 40f307 53706->53711 53713 402093 28 API calls 53706->53713 53707->53706 54526 412716 38 API calls ___scrt_get_show_window_mode 53707->54526 53710 40f247 53708->53710 53709->53676 54528 401be9 50 API calls 53709->54528 54065 40c19d 7 API calls 53710->54065 53865 41353a RegOpenKeyExA 53711->53865 53714 40f2d7 53713->53714 54066 4052fd 28 API calls 53714->54066 53719 40f328 53721 41bcef 28 API calls 53719->53721 53723 40f338 53721->53723 54067 413656 31 API calls 53723->54067 53728 40f34e 53729 401f09 11 API calls 53728->53729 53732 40f359 53729->53732 53730 40f381 DeleteFileW 53731 40f388 53730->53731 53730->53732 53731->53539 53732->53539 53732->53730 53733 40f36f Sleep 53732->53733 53733->53732 53734->53412 53735->53416 53736->53419 53737->53420 53738->53429 53739->53430 53740->53432 53741->53435 53742->53439 53743->53441 53744->53443 53745->53446 53747 44f0eb 53746->53747 53748 44f0e2 53746->53748 53747->53454 53751 44efd8 49 API calls 5 library calls 53748->53751 53750->53454 53751->53747 53753 41cc20 LoadLibraryA GetProcAddress 53752->53753 53754 41cc10 GetModuleHandleA GetProcAddress 53752->53754 53755 41cc49 44 API calls 53753->53755 53756 41cc39 LoadLibraryA GetProcAddress 53753->53756 53754->53753 53755->53458 53756->53755 54070 41b539 FindResourceA 53757->54070 53760 43bda0 ___std_exception_copy 21 API calls 53761 40f428 _Yarn 53760->53761 53762 4020b7 28 API calls 53761->53762 53763 40f443 53762->53763 53764 401fe2 28 API calls 53763->53764 53765 40f44e 53764->53765 53766 401fd8 11 API calls 53765->53766 53767 40f457 53766->53767 53768 43bda0 ___std_exception_copy 21 API calls 53767->53768 53769 40f468 _Yarn 53768->53769 54073 406e13 53769->54073 53771 40f49b 53771->53460 53773 40fb5e 53772->53773 53775 40fb65 53772->53775 54076 402163 11 API calls 53773->54076 53775->53468 54077 401fab 53776->54077 53778 40d0ae CreateMutexA GetLastError 53778->53517 54078 41c048 53779->54078 53784 401fe2 28 API calls 53785 41b390 53784->53785 53786 401fd8 11 API calls 53785->53786 53787 41b398 53786->53787 53788 4135e1 31 API calls 53787->53788 53790 41b3ee 53787->53790 53789 41b3c1 53788->53789 53791 41b3cc StrToIntA 53789->53791 53790->53524 53792 41b3e3 53791->53792 53793 41b3da 53791->53793 53795 401fd8 11 API calls 53792->53795 54087 41cffa 22 API calls 53793->54087 53795->53790 53797 407765 53796->53797 53798 413584 3 API calls 53797->53798 53799 40776c 53798->53799 53799->53534 53799->53535 53801 41bd03 53800->53801 53802 40b93f 28 API calls 53801->53802 53803 41bd0b 53802->53803 53803->53552 53805 401f22 53804->53805 53812 401f6a 53804->53812 53806 402252 11 API calls 53805->53806 53807 401f2b 53806->53807 53808 401f6d 53807->53808 53810 401f46 53807->53810 54089 402336 53808->54089 54088 40305c 28 API calls 53810->54088 53812->53559 53814 4139a0 53813->53814 53815 406e13 28 API calls 53814->53815 53816 4139b5 53815->53816 53817 4020f6 28 API calls 53816->53817 53818 4139c5 53817->53818 53819 4137aa 14 API calls 53818->53819 53820 4139cf 53819->53820 53821 401fd8 11 API calls 53820->53821 53822 4139dc 53821->53822 53822->53613 53824 4137c3 53823->53824 53825 4137fa 53823->53825 53828 4137d5 RegSetValueExA RegCloseKey 53824->53828 53826 401fd8 11 API calls 53825->53826 53827 40efd9 53826->53827 53827->53614 53828->53825 53830 409e3d _wcslen 53829->53830 53831 409e48 53830->53831 53832 409e5f 53830->53832 53833 40da6f 32 API calls 53831->53833 53834 40da6f 32 API calls 53832->53834 53836 409e50 53833->53836 53835 409e67 53834->53835 53837 401f13 28 API calls 53835->53837 53838 401f13 28 API calls 53836->53838 53839 409e75 53837->53839 53840 409e5a 53838->53840 53841 401f09 11 API calls 53839->53841 53843 401f09 11 API calls 53840->53843 53842 409e7d 53841->53842 54108 409196 28 API calls 53842->54108 53845 409eb4 53843->53845 54093 40a144 53845->54093 53847 409e8f 54109 403014 53847->54109 53851 401f13 28 API calls 53852 409ea4 53851->53852 53853 401f09 11 API calls 53852->53853 53853->53840 53855 40417e 28 API calls 53854->53855 53856 41b6ed 53855->53856 54308 4042fc 53856->54308 53859 403014 28 API calls 53860 41b703 53859->53860 53861 401f09 11 API calls 53860->53861 53862 41b70c 53861->53862 53863 401f09 11 API calls 53862->53863 53864 40f25e 53863->53864 53864->53691 53866 41355b RegQueryValueExA RegCloseKey 53865->53866 53867 40f31f 53865->53867 53866->53867 53867->53564 53867->53719 53869 40f3cd 53868->53869 53870 413a7a RegDeleteValueW 53868->53870 53869->53557 53870->53869 53872 40dd96 53871->53872 53873 41353a 3 API calls 53872->53873 53874 40dd9d 53873->53874 53875 40ddbc 53874->53875 54383 401707 53874->54383 53879 414f65 53875->53879 53877 40ddaa 54386 4138b2 RegCreateKeyA 53877->54386 53880 4020df 11 API calls 53879->53880 53881 414f79 53880->53881 54400 41b944 53881->54400 53884 4020df 11 API calls 53885 414f8f 53884->53885 53886 401e65 22 API calls 53885->53886 53887 414f9d 53886->53887 53888 43bb2c 40 API calls 53887->53888 53889 414faa 53888->53889 53890 414fbc 53889->53890 53891 414faf Sleep 53889->53891 53892 402093 28 API calls 53890->53892 53891->53890 53893 414fcb 53892->53893 53894 401e65 22 API calls 53893->53894 53895 414fd4 53894->53895 53896 4020f6 28 API calls 53895->53896 53897 414fdf 53896->53897 53898 41beac 28 API calls 53897->53898 53899 414fe7 53898->53899 54404 40489e WSAStartup 53899->54404 53901 414ff1 53902 401e65 22 API calls 53901->53902 53903 414ffa 53902->53903 53904 401e65 22 API calls 53903->53904 53929 415079 53903->53929 53905 415013 53904->53905 53906 401e65 22 API calls 53905->53906 53907 415024 53906->53907 53909 401e65 22 API calls 53907->53909 53908 41beac 28 API calls 53908->53929 53910 415035 53909->53910 53912 401e65 22 API calls 53910->53912 53911 406c59 28 API calls 53911->53929 53913 415046 53912->53913 53914 401e65 22 API calls 53913->53914 53916 415057 53914->53916 53915 401fe2 28 API calls 53915->53929 53917 401e65 22 API calls 53916->53917 53918 415069 53917->53918 54429 40473d 89 API calls 53918->54429 53920 406383 28 API calls 53920->53929 53921 401e65 22 API calls 53921->53929 53923 4151c7 WSAGetLastError 54430 41cb72 30 API calls 53923->54430 53924 40482d 3 API calls 53924->53929 53927 402093 28 API calls 53927->53929 53928 404f51 105 API calls 53928->53929 53929->53908 53929->53911 53929->53915 53929->53920 53929->53921 53929->53923 53929->53924 53929->53927 53929->53928 53930 4048c8 97 API calls 53929->53930 53931 404e26 99 API calls 53929->53931 53932 40531e 28 API calls 53929->53932 53933 401e8d 11 API calls 53929->53933 53935 415a6e 53929->53935 53938 41b580 80 API calls 53929->53938 53941 409097 28 API calls 53929->53941 53942 441ed1 20 API calls 53929->53942 53943 4020f6 28 API calls 53929->53943 53944 413733 3 API calls 53929->53944 53945 4135e1 31 API calls 53929->53945 53946 40417e 28 API calls 53929->53946 53949 41bc1f 28 API calls 53929->53949 53950 401e65 22 API calls 53929->53950 53954 41bb27 30 API calls 53929->53954 53955 41bdaf 28 API calls 53929->53955 53957 402f31 28 API calls 53929->53957 53958 402ea1 28 API calls 53929->53958 53959 402f10 28 API calls 53929->53959 53960 404aa1 61 API calls 53929->53960 53961 404c10 265 API calls 53929->53961 53963 415aac CreateThread 53929->53963 53964 401fd8 11 API calls 53929->53964 53965 401f09 11 API calls 53929->53965 54405 414f24 53929->54405 54410 41b871 53929->54410 54413 4145f8 53929->54413 54416 40ddc4 53929->54416 54422 41bcd3 53929->54422 54425 41bb77 GetLastInputInfo GetTickCount 53929->54425 54426 40f90c GetLocaleInfoA 53929->54426 54431 4052fd 28 API calls 53929->54431 53930->53929 53931->53929 53932->53929 53933->53929 53934 401e65 22 API calls 53934->53935 53935->53934 53936 43bb2c 40 API calls 53935->53936 54432 40b08c 85 API calls 53935->54432 53937 415b0a Sleep 53936->53937 53937->53929 53938->53929 53941->53929 53942->53929 53943->53929 53944->53929 53945->53929 53946->53929 53949->53929 53951 415474 GetTickCount 53950->53951 53952 41bc1f 28 API calls 53951->53952 53952->53929 53954->53929 53955->53929 53957->53929 53958->53929 53959->53929 53960->53929 53961->53929 53963->53929 54473 41ada8 106 API calls 53963->54473 53964->53929 53965->53929 53966->53475 53967->53484 53968->53488 53971 4020df 11 API calls 53970->53971 53972 406c65 53971->53972 53973 4032a0 28 API calls 53972->53973 53974 406c82 53973->53974 53974->53509 53976 4135ae RegQueryValueExA RegCloseKey 53975->53976 53977 40ebdf 53975->53977 53976->53977 53977->53506 53977->53523 53978->53513 53979->53542 53980->53534 53981->53527 53982->53541 53984 401f86 11 API calls 53983->53984 53985 40da8b 53984->53985 53986 40dae0 53985->53986 53987 40daab 53985->53987 53988 40daa1 53985->53988 53989 41c048 2 API calls 53986->53989 54489 41b645 29 API calls 53987->54489 53991 40dbd4 GetLongPathNameW 53988->53991 53993 40dae5 53989->53993 53992 40417e 28 API calls 53991->53992 53995 40dbe9 53992->53995 53996 40dae9 53993->53996 53997 40db3b 53993->53997 53994 40dab4 53998 401f13 28 API calls 53994->53998 53999 40417e 28 API calls 53995->53999 54001 40417e 28 API calls 53996->54001 54000 40417e 28 API calls 53997->54000 54002 40dabe 53998->54002 54003 40dbf8 53999->54003 54004 40db49 54000->54004 54005 40daf7 54001->54005 54007 401f09 11 API calls 54002->54007 54474 40de0c 54003->54474 54010 40417e 28 API calls 54004->54010 54011 40417e 28 API calls 54005->54011 54007->53988 54013 40db5f 54010->54013 54014 40db0d 54011->54014 54016 402fa5 28 API calls 54013->54016 54017 402fa5 28 API calls 54014->54017 54015 402fa5 28 API calls 54018 40dc20 54015->54018 54019 40db6a 54016->54019 54020 40db18 54017->54020 54021 401f09 11 API calls 54018->54021 54022 401f13 28 API calls 54019->54022 54023 401f13 28 API calls 54020->54023 54024 40dc2a 54021->54024 54025 40db75 54022->54025 54026 40db23 54023->54026 54027 401f09 11 API calls 54024->54027 54028 401f09 11 API calls 54025->54028 54029 401f09 11 API calls 54026->54029 54031 40dc33 54027->54031 54032 40db7e 54028->54032 54030 40db2c 54029->54030 54034 401f09 11 API calls 54030->54034 54035 401f09 11 API calls 54031->54035 54033 401f09 11 API calls 54032->54033 54033->54002 54034->54002 54036 40dc3c 54035->54036 54037 401f09 11 API calls 54036->54037 54038 40dc45 54037->54038 54039 401f09 11 API calls 54038->54039 54040 40dc4e 54039->54040 54040->53600 54041->53611 54042->53634 54044 413759 RegQueryValueExA RegCloseKey 54043->54044 54045 41377d 54043->54045 54044->54045 54045->53593 54046->53628 54051 434563 54047->54051 54048 43bda0 ___std_exception_copy 21 API calls 54048->54051 54049 40f10c 54049->53664 54051->54048 54051->54049 54494 443001 7 API calls 2 library calls 54051->54494 54495 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54051->54495 54496 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54051->54496 54055 402093 28 API calls 54054->54055 54056 40da3a 54055->54056 54057 41bcef 28 API calls 54056->54057 54058 40da45 54057->54058 54059 40da6f 32 API calls 54058->54059 54060 40da56 54059->54060 54061 401f09 11 API calls 54060->54061 54062 40da5f 54061->54062 54063 401fd8 11 API calls 54062->54063 54064 40da67 54063->54064 54064->53698 54065->53683 54067->53728 54068->53533 54071 41b556 LoadResource LockResource SizeofResource 54070->54071 54072 40f419 54070->54072 54071->54072 54072->53760 54074 4020b7 28 API calls 54073->54074 54075 406e27 54074->54075 54075->53771 54076->53775 54079 41b362 54078->54079 54080 41c055 GetCurrentProcess IsWow64Process 54078->54080 54082 4135e1 RegOpenKeyExA 54079->54082 54080->54079 54081 41c06c 54080->54081 54081->54079 54083 41360f RegQueryValueExA RegCloseKey 54082->54083 54084 413639 54082->54084 54083->54084 54085 402093 28 API calls 54084->54085 54086 41364e 54085->54086 54086->53784 54087->53792 54088->53812 54090 402347 54089->54090 54091 402252 11 API calls 54090->54091 54092 4023c7 54091->54092 54092->53812 54094 40a162 54093->54094 54095 413584 3 API calls 54094->54095 54096 40a169 54095->54096 54097 40a197 54096->54097 54098 40a17d 54096->54098 54114 409097 54097->54114 54099 40a182 54098->54099 54100 409ed6 54098->54100 54102 409097 28 API calls 54099->54102 54100->53657 54104 40a190 54102->54104 54142 40a268 29 API calls 54104->54142 54107 40a195 54107->54100 54108->53847 54276 403222 54109->54276 54111 403022 54280 403262 54111->54280 54115 4090ad 54114->54115 54116 402252 11 API calls 54115->54116 54117 4090c7 54116->54117 54118 404267 28 API calls 54117->54118 54119 4090d5 54118->54119 54120 40a1b4 54119->54120 54143 40b927 54120->54143 54123 40a205 54125 402093 28 API calls 54123->54125 54124 40a1dd 54126 402093 28 API calls 54124->54126 54127 40a210 54125->54127 54128 40a1e7 54126->54128 54129 402093 28 API calls 54127->54129 54130 41bcef 28 API calls 54128->54130 54131 40a21f 54129->54131 54132 40a1f5 54130->54132 54134 41b580 80 API calls 54131->54134 54147 40b19f 31 API calls ___std_exception_copy 54132->54147 54136 40a224 CreateThread 54134->54136 54135 40a1fc 54137 401fd8 11 API calls 54135->54137 54138 40a24b CreateThread 54136->54138 54139 40a23f CreateThread 54136->54139 54155 40a2b8 54136->54155 54137->54123 54140 401f09 11 API calls 54138->54140 54152 40a2c4 54138->54152 54139->54138 54149 40a2a2 54139->54149 54141 40a25f 54140->54141 54141->54100 54142->54107 54275 40a2ae 164 API calls 54142->54275 54144 40b930 54143->54144 54145 40a1d2 54143->54145 54148 40b9a7 28 API calls 54144->54148 54145->54123 54145->54124 54147->54135 54148->54145 54158 40a2f3 54149->54158 54174 40ad11 54152->54174 54216 40a761 54155->54216 54159 40a30c GetModuleHandleA SetWindowsHookExA 54158->54159 54160 40a36e GetMessageA 54158->54160 54159->54160 54162 40a328 GetLastError 54159->54162 54161 40a380 TranslateMessage DispatchMessageA 54160->54161 54172 40a2ab 54160->54172 54161->54160 54161->54172 54163 41bc1f 28 API calls 54162->54163 54164 40a339 54163->54164 54173 4052fd 28 API calls 54164->54173 54203 40ad1f 54174->54203 54175 40a2cd 54176 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 54177 40b93f 28 API calls 54176->54177 54177->54203 54182 41bb77 GetLastInputInfo GetTickCount 54182->54203 54183 40adbf GetWindowTextW 54183->54203 54185 40b927 28 API calls 54185->54203 54186 40af17 54187 401f09 11 API calls 54186->54187 54187->54175 54188 40ae84 Sleep 54188->54203 54189 441ed1 20 API calls 54189->54203 54191 402093 28 API calls 54191->54203 54192 40ae0c 54194 409097 28 API calls 54192->54194 54192->54203 54212 40b19f 31 API calls ___std_exception_copy 54192->54212 54194->54192 54196 403014 28 API calls 54196->54203 54197 406383 28 API calls 54197->54203 54199 40a671 12 API calls 54199->54203 54200 41bcef 28 API calls 54200->54203 54201 401f09 11 API calls 54201->54203 54202 401fd8 11 API calls 54202->54203 54203->54175 54203->54176 54203->54182 54203->54183 54203->54185 54203->54186 54203->54188 54203->54189 54203->54191 54203->54192 54203->54196 54203->54197 54203->54199 54203->54200 54203->54201 54203->54202 54204 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 54203->54204 54205 401f86 54203->54205 54209 434801 23 API calls __onexit 54203->54209 54210 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 54203->54210 54211 40907f 28 API calls 54203->54211 54213 40b9b7 28 API calls 54203->54213 54214 40b783 40 API calls 2 library calls 54203->54214 54215 4052fd 28 API calls 54203->54215 54206 401f8e 54205->54206 54207 402252 11 API calls 54206->54207 54208 401f99 54207->54208 54208->54203 54209->54203 54210->54203 54211->54203 54212->54192 54213->54203 54214->54203 54217 40a776 Sleep 54216->54217 54237 40a6b0 54217->54237 54219 40a2c1 54220 40a7b6 CreateDirectoryW 54224 40a788 54220->54224 54221 40a7c7 GetFileAttributesW 54221->54224 54222 40a7de SetFileAttributesW 54222->54224 54224->54217 54224->54219 54224->54220 54224->54221 54224->54222 54226 401e65 22 API calls 54224->54226 54233 40a829 54224->54233 54250 41c482 54224->54250 54225 40a858 PathFileExistsW 54225->54233 54226->54224 54227 4020df 11 API calls 54227->54233 54229 4020b7 28 API calls 54229->54233 54230 40a961 SetFileAttributesW 54230->54224 54231 406e13 28 API calls 54231->54233 54232 401fe2 28 API calls 54232->54233 54233->54225 54233->54227 54233->54229 54233->54230 54233->54231 54233->54232 54235 401fd8 11 API calls 54233->54235 54236 401fd8 11 API calls 54233->54236 54260 41c516 CreateFileW 54233->54260 54268 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 54233->54268 54235->54233 54236->54224 54238 40a75d 54237->54238 54240 40a6c6 54237->54240 54238->54224 54239 40a6e5 CreateFileW 54239->54240 54241 40a6f3 GetFileSize 54239->54241 54240->54239 54242 40a728 CloseHandle 54240->54242 54243 40a73a 54240->54243 54244 40a716 54240->54244 54245 40a71d Sleep 54240->54245 54241->54240 54241->54242 54242->54240 54243->54238 54247 409097 28 API calls 54243->54247 54269 40b117 84 API calls 54244->54269 54245->54242 54248 40a756 54247->54248 54249 40a1b4 125 API calls 54248->54249 54249->54238 54251 41c495 CreateFileW 54250->54251 54253 41c4d2 54251->54253 54254 41c4ce 54251->54254 54255 41c4f2 WriteFile 54253->54255 54256 41c4d9 SetFilePointer 54253->54256 54254->54224 54258 41c505 54255->54258 54259 41c507 CloseHandle 54255->54259 54256->54255 54257 41c4e9 CloseHandle 54256->54257 54257->54254 54258->54259 54259->54254 54261 41c540 GetFileSize 54260->54261 54262 41c53c 54260->54262 54270 40244e 54261->54270 54262->54233 54264 41c554 54265 41c566 ReadFile 54264->54265 54266 41c573 54265->54266 54267 41c575 CloseHandle 54265->54267 54266->54267 54267->54262 54268->54233 54269->54245 54271 402456 54270->54271 54273 402460 54271->54273 54274 402a51 28 API calls 54271->54274 54273->54264 54274->54273 54277 40322e 54276->54277 54286 403618 54277->54286 54279 40323b 54279->54111 54281 40326e 54280->54281 54282 402252 11 API calls 54281->54282 54283 403288 54282->54283 54284 402336 11 API calls 54283->54284 54285 403031 54284->54285 54285->53851 54287 403626 54286->54287 54288 403644 54287->54288 54289 40362c 54287->54289 54290 40365c 54288->54290 54291 40369e 54288->54291 54297 4036a6 54289->54297 54295 4027e6 28 API calls 54290->54295 54296 403642 54290->54296 54306 4028a4 22 API calls 54291->54306 54295->54296 54296->54279 54298 402888 22 API calls 54297->54298 54299 4036b9 54298->54299 54300 40372c 54299->54300 54301 4036de 54299->54301 54307 4028a4 22 API calls 54300->54307 54304 4027e6 28 API calls 54301->54304 54305 4036f0 54301->54305 54304->54305 54305->54296 54313 404353 54308->54313 54310 40430a 54311 403262 11 API calls 54310->54311 54312 404319 54311->54312 54312->53859 54314 40435f 54313->54314 54317 404371 54314->54317 54316 40436d 54316->54310 54318 40437f 54317->54318 54319 404385 54318->54319 54320 40439e 54318->54320 54381 4034e6 28 API calls 54319->54381 54321 402888 22 API calls 54320->54321 54322 4043a6 54321->54322 54324 404419 54322->54324 54325 4043bf 54322->54325 54382 4028a4 22 API calls 54324->54382 54327 4027e6 28 API calls 54325->54327 54337 40439c 54325->54337 54327->54337 54337->54316 54381->54337 54389 43ab1a 54383->54389 54387 4138f4 54386->54387 54388 4138ca RegSetValueExA RegCloseKey 54386->54388 54387->53875 54388->54387 54392 43aa9b 54389->54392 54391 40170d 54391->53877 54393 43aaaa 54392->54393 54394 43aabe 54392->54394 54398 44062d 20 API calls __dosmaperr 54393->54398 54397 43aaaf __alldvrm __cftoe 54394->54397 54399 4489d7 11 API calls 2 library calls 54394->54399 54397->54391 54398->54397 54399->54397 54401 41b98a _Yarn ___scrt_get_show_window_mode 54400->54401 54402 402093 28 API calls 54401->54402 54403 414f84 54402->54403 54403->53884 54404->53901 54406 414f33 54405->54406 54407 414f3d getaddrinfo WSASetLastError 54405->54407 54433 414dc1 29 API calls ___std_exception_copy 54406->54433 54407->53929 54409 414f38 54409->54407 54434 41b847 GlobalMemoryStatusEx 54410->54434 54412 41b886 54412->53929 54435 4145bb 54413->54435 54417 40dde0 54416->54417 54418 41353a 3 API calls 54417->54418 54420 40dde7 54418->54420 54419 40ddff 54419->53929 54420->54419 54421 413584 3 API calls 54420->54421 54421->54419 54423 4020b7 28 API calls 54422->54423 54424 41bce8 54423->54424 54424->53929 54425->53929 54427 402093 28 API calls 54426->54427 54428 40f931 54427->54428 54428->53929 54429->53929 54430->53929 54432->53929 54433->54409 54434->54412 54438 41458e 54435->54438 54439 4145a3 ___scrt_initialize_default_local_stdio_options 54438->54439 54442 43f7ed 54439->54442 54445 43c540 54442->54445 54446 43c580 54445->54446 54447 43c568 54445->54447 54446->54447 54448 43c588 54446->54448 54467 44062d 20 API calls __dosmaperr 54447->54467 54468 43a837 36 API calls 3 library calls 54448->54468 54451 43c56d __cftoe 54460 43502b 54451->54460 54452 43c598 54469 43ccc6 20 API calls 2 library calls 54452->54469 54455 43c610 54470 43d334 51 API calls 3 library calls 54455->54470 54456 4145b1 54456->53929 54459 43c61b 54471 43cd30 20 API calls _free 54459->54471 54461 435036 IsProcessorFeaturePresent 54460->54461 54462 435034 54460->54462 54464 435078 54461->54464 54462->54456 54472 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54464->54472 54466 43515b 54466->54456 54467->54451 54468->54452 54469->54455 54470->54459 54471->54451 54472->54466 54475 40de14 54474->54475 54476 402252 11 API calls 54475->54476 54477 40de1f 54476->54477 54478 4041d9 28 API calls 54477->54478 54479 40dc0b 54478->54479 54480 402fa5 54479->54480 54486 402fb4 54480->54486 54481 402ff6 54491 40323f 54481->54491 54483 402ff4 54484 403262 11 API calls 54483->54484 54485 40300d 54484->54485 54485->54015 54486->54481 54487 402feb 54486->54487 54490 403211 28 API calls 54487->54490 54489->53994 54490->54483 54492 4036a6 28 API calls 54491->54492 54493 40324c 54492->54493 54493->54483 54494->54051 54499 40f7fd 54497->54499 54498 413584 3 API calls 54498->54499 54499->54498 54500 40f8a1 54499->54500 54502 40f891 Sleep 54499->54502 54519 40f82f 54499->54519 54503 409097 28 API calls 54500->54503 54501 409097 28 API calls 54501->54519 54502->54499 54506 40f8ac 54503->54506 54505 41bcef 28 API calls 54505->54519 54507 41bcef 28 API calls 54506->54507 54508 40f8b8 54507->54508 54532 41384f 14 API calls 54508->54532 54511 401f09 11 API calls 54511->54519 54512 40f8cb 54513 401f09 11 API calls 54512->54513 54515 40f8d7 54513->54515 54514 402093 28 API calls 54514->54519 54516 402093 28 API calls 54515->54516 54517 40f8e8 54516->54517 54520 4137aa 14 API calls 54517->54520 54518 4137aa 14 API calls 54518->54519 54519->54501 54519->54502 54519->54505 54519->54511 54519->54514 54519->54518 54530 40d0d1 112 API calls ___scrt_get_show_window_mode 54519->54530 54531 41384f 14 API calls 54519->54531 54521 40f8fb 54520->54521 54533 41288b TerminateProcess WaitForSingleObject 54521->54533 54523 40f903 ExitProcess 54534 412829 62 API calls 54525->54534 54531->54519 54532->54512 54533->54523 54535 42f97e 54536 42f989 54535->54536 54537 42f99d 54536->54537 54539 432f7f 54536->54539 54540 432f8e 54539->54540 54542 432f8a 54539->54542 54543 440f5d 54540->54543 54542->54537 54544 446206 54543->54544 54545 446213 54544->54545 54546 44621e 54544->54546 54562 4461b8 21 API calls 3 library calls 54545->54562 54548 446226 54546->54548 54555 44622f __Getctype 54546->54555 54556 446802 54548->54556 54550 446234 54563 44062d 20 API calls __dosmaperr 54550->54563 54551 446259 RtlReAllocateHeap 54552 44621b 54551->54552 54551->54555 54552->54542 54555->54550 54555->54551 54564 443001 7 API calls 2 library calls 54555->54564 54557 44680d RtlFreeHeap 54556->54557 54558 446836 __dosmaperr 54556->54558 54557->54558 54559 446822 54557->54559 54558->54552 54565 44062d 20 API calls __dosmaperr 54559->54565 54561 446828 GetLastError 54561->54558 54562->54552 54563->54552 54564->54555 54565->54561 54566 40165e 54567 401666 54566->54567 54568 401669 54566->54568 54569 4016a8 54568->54569 54571 401696 54568->54571 54570 43455e new 22 API calls 54569->54570 54572 40169c 54570->54572 54573 43455e new 22 API calls 54571->54573 54573->54572 54574 426cdc 54579 426d59 send 54574->54579 54580 41e04e 54581 41e063 _Yarn ___scrt_get_show_window_mode 54580->54581 54582 41e266 54581->54582 54583 432f55 21 API calls 54581->54583 54588 41e21a 54582->54588 54594 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 54582->54594 54587 41e213 ___scrt_get_show_window_mode 54583->54587 54585 41e277 54586 432f55 21 API calls 54585->54586 54585->54588 54590 41e2b0 ___scrt_get_show_window_mode 54586->54590 54587->54588 54589 432f55 21 API calls 54587->54589 54592 41e240 ___scrt_get_show_window_mode 54589->54592 54590->54588 54595 4335db 54590->54595 54592->54588 54593 432f55 21 API calls 54592->54593 54593->54582 54594->54585 54598 4334fa 54595->54598 54597 4335e3 54597->54588 54599 433513 54598->54599 54603 433509 54598->54603 54600 432f55 21 API calls 54599->54600 54599->54603 54601 433534 54600->54601 54601->54603 54604 4338c8 CryptAcquireContextA 54601->54604 54603->54597 54605 4338e9 CryptGenRandom 54604->54605 54606 4338e4 54604->54606 54605->54606 54607 4338fe CryptReleaseContext 54605->54607 54606->54603 54607->54606 54608 426c6d 54614 426d42 recv 54608->54614

                                                                                                                            Executed Functions

                                                                                                                            Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                            • API String ID: 4236061018-3687161714
                                                                                                                            • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                            • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                                                            • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                            • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                                                            Function 0040EA00 Relevance: 90.0, APIs: 15, Strings: 36, Instructions: 795COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 89 40ec47-40ec49 80->89 90 40ec4e-40ec55 80->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 145 40eca4-40ecaa 141->145 145->108 146 40ecac call 40729b 145->146 146->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 184->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 204->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 406 40f293-40f29d CreateThread 403->406 407 40f29f-40f2a6 403->407 406->407 408 40f2b4-40f2bb 407->408 409 40f2a8-40f2b2 CreateThread 407->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000104), ref: 0040EA29
                                                                                                                              • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                            • String ID: ,aF$,aF$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-8AXK3L$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                                                            • API String ID: 2830904901-633281751
                                                                                                                            • Opcode ID: 071f4a2b130f210accf6ffad730fda43086de03d82db5e736e6bd59efd98e1a8
                                                                                                                            • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                                                            • Opcode Fuzzy Hash: 071f4a2b130f210accf6ffad730fda43086de03d82db5e736e6bd59efd98e1a8
                                                                                                                            • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                                                            Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 452 4181d1-4181d8 450->452 453 4184bd-4184c7 451->453 452->451 454 4181de-4181e0 452->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b Wow64SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 493 4183f7-4183fe 482->493 483->480 484->464 488 418450 484->488 485->464 489 41846d-418479 ResumeThread 485->489 488->485 489->464 492 41847b-41847d 489->492 492->453 493->478
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                                                                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                                                            • NtClose.NTDLL(?), ref: 00418332
                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                            • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                            • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                            • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                            • API String ID: 3150337530-3035715614
                                                                                                                            • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                                                            • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                                                            • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                                                            • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                                                            Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1638 40a2f3-40a30a 1639 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1638->1639 1640 40a36e-40a37e GetMessageA 1638->1640 1639->1640 1643 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1639->1643 1641 40a380-40a398 TranslateMessage DispatchMessageA 1640->1641 1642 40a39a 1640->1642 1641->1640 1641->1642 1644 40a39c-40a3a1 1642->1644 1643->1644
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                            • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                            • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                                                            • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                            • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                            Strings
                                                                                                                            • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                            • String ID: Keylogger initialization failure: error
                                                                                                                            • API String ID: 3219506041-952744263
                                                                                                                            • Opcode ID: 0941b70969d387924e595ca8d32aef6448a77ea1b05962a1dabc83f0a9fe4c4a
                                                                                                                            • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                                                            • Opcode Fuzzy Hash: 0941b70969d387924e595ca8d32aef6448a77ea1b05962a1dabc83f0a9fe4c4a
                                                                                                                            • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                                                            Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1655 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1662 10001177-1000119e lstrlenW FindFirstFileW 1655->1662 1663 10001168-10001172 lstrlenW 1655->1663 1664 100011a0-100011a8 1662->1664 1665 100011e1-100011e9 1662->1665 1663->1662 1666 100011c7-100011d8 FindNextFileW 1664->1666 1667 100011aa-100011c4 call 10001000 1664->1667 1666->1664 1669 100011da-100011db FindClose 1666->1669 1667->1666 1669->1665
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1083526818-0
                                                                                                                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                            Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1671 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1676 41b456-41b477 InternetReadFile 1671->1676 1677 41b479-41b499 call 4020b7 call 403376 call 401fd8 1676->1677 1678 41b49d-41b4a0 1676->1678 1677->1678 1679 41b4a2-41b4a4 1678->1679 1680 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1678->1680 1679->1676 1679->1680 1684 41b4b8-41b4c2 1680->1684
                                                                                                                            APIs
                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                            Strings
                                                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                                                            • API String ID: 3121278467-91888290
                                                                                                                            • Opcode ID: 4e2645c3046718cbe2031a9352f432545f17450a0a2b1c602f3596dc6c63889a
                                                                                                                            • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                            • Opcode Fuzzy Hash: 4e2645c3046718cbe2031a9352f432545f17450a0a2b1c602f3596dc6c63889a
                                                                                                                            • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                            Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                            • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                                                            • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                                              • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                                              • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                                              • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3950776272-0
                                                                                                                            • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                            • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                            • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                            • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                            Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                              • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                                                                              • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                            • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                            • String ID: 5.1.3 Pro$override$pth_unenc
                                                                                                                            • API String ID: 2281282204-1392497409
                                                                                                                            • Opcode ID: 3c8724a3c29de2eacdbba9d0f0ba12620d0f78ae8ad98ca36cdec3b882b37e8a
                                                                                                                            • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                                                            • Opcode Fuzzy Hash: 3c8724a3c29de2eacdbba9d0f0ba12620d0f78ae8ad98ca36cdec3b882b37e8a
                                                                                                                            • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                                                            Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                                            Strings
                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                            • API String ID: 2532271599-1507639952
                                                                                                                            • Opcode ID: c97c57ed109486a63bc32963de44825fbe70b3edd72710e3e07d10443f23f266
                                                                                                                            • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                                                            • Opcode Fuzzy Hash: c97c57ed109486a63bc32963de44825fbe70b3edd72710e3e07d10443f23f266
                                                                                                                            • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                            Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,004E9308), ref: 004338DA
                                                                                                                            • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1815803762-0
                                                                                                                            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                            • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                            • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                            Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                                                                                            • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Name$ComputerUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4229901323-0
                                                                                                                            • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                                                            • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                                                            • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                                                            • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                                                            Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                                                                                                            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                            • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                                                                                                            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                            Function 00414F65 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 612 415220-415246 call 402093 * 2 call 41b580 606->612 613 41524b-415260 call 404f51 call 4048c8 606->613 630 415ade-415af0 call 404e26 call 4021fa 607->630 612->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 613->629 613->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->643 644 415b18-415b20 call 401e8d 630->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-415532 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c 695->702 701->702 737 415537-415a51 call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->737 948 415a53-415a5a 737->948 949 415a65-415a6c 737->949 948->949 952 415a5c-415a5e 948->952 950 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->950 951 415a6e-415a73 call 40b08c 949->951 963 415aac-415ab8 CreateThread 950->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 950->964 951->950 952->949 963->964 964->630
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                                                                                            • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                                                            • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep$ErrorLastLocalTime
                                                                                                                            • String ID: | $%I64u$,aF$5.1.3 Pro$8SG$C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-8AXK3L$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                                                                                            • API String ID: 524882891-3318461945
                                                                                                                            • Opcode ID: 195d67893579f0986b197301f256223209d84654e16872544cdbbdb63008b77f
                                                                                                                            • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                                                                            • Opcode Fuzzy Hash: 195d67893579f0986b197301f256223209d84654e16872544cdbbdb63008b77f
                                                                                                                            • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                                                            Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1094 412e43-412e5f call 401f04 call 41c516 1091->1094 1092->1094 1100 412e61-412e73 call 401f04 DeleteFileW 1094->1100 1101 412e79-412e7b 1094->1101 1100->1101 1103 412e88-412e93 Sleep 1101->1103 1104 412e7d-412e7f 1101->1104 1103->1078 1107 412e99-412eab call 406b63 1103->1107 1104->1103 1106 412e81-412e86 1104->1106 1106->1103 1106->1107 1110 412f01-412f20 call 401f09 * 3 1107->1110 1111 412ead-412ebb call 406b63 1107->1111 1122 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1110->1122 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1123 412ecd-412ef9 Sleep call 401f09 * 3 1117->1123 1138 412f63-412f89 call 401f09 call 405b05 1122->1138 1123->978 1137 412eff 1123->1137 1137->1122 1143 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1144 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                            • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                            • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                            • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                            • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                            • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                                                                                                            • API String ID: 1223786279-4119708859
                                                                                                                            • Opcode ID: 29899e099680c200e1a233259cb1fa52047b97e22cacf4fd2dd6398ed5705dc3
                                                                                                                            • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                                                            • Opcode Fuzzy Hash: 29899e099680c200e1a233259cb1fa52047b97e22cacf4fd2dd6398ed5705dc3
                                                                                                                            • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                                                            Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                              • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                              • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                              • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                                                                            • API String ID: 672098462-2938083778
                                                                                                                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                            Function 0040A761 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                              • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                              • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                              • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                              • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                            • String ID: 8SG$8SG$pQG$pQG$xdF$PG$PG
                                                                                                                            • API String ID: 3795512280-661585845
                                                                                                                            • Opcode ID: 31f9b98c2aa1ca567219a67f802198a24a1653c2bb80b19623cdec70bf563e20
                                                                                                                            • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                                                            • Opcode Fuzzy Hash: 31f9b98c2aa1ca567219a67f802198a24a1653c2bb80b19623cdec70bf563e20
                                                                                                                            • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                                                            Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1384 4048c8-4048e8 connect 1385 404a1b-404a1f 1384->1385 1386 4048ee-4048f1 1384->1386 1389 404a21-404a2f WSAGetLastError 1385->1389 1390 404a97 1385->1390 1387 404a17-404a19 1386->1387 1388 4048f7-4048fa 1386->1388 1391 404a99-404a9e 1387->1391 1392 404926-404930 call 420cf1 1388->1392 1393 4048fc-404923 call 40531e call 402093 call 41b580 1388->1393 1389->1390 1394 404a31-404a34 1389->1394 1390->1391 1406 404941-40494e call 420f20 1392->1406 1407 404932-40493c 1392->1407 1393->1392 1396 404a71-404a76 1394->1396 1397 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1394->1397 1399 404a7b-404a94 call 402093 * 2 call 41b580 1396->1399 1397->1390 1399->1390 1416 404950-404973 call 402093 * 2 call 41b580 1406->1416 1417 404987-404992 call 421ad1 1406->1417 1407->1399 1446 404976-404982 call 420d31 1416->1446 1429 4049c4-4049d1 call 420e97 1417->1429 1430 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1417->1430 1443 4049d3-4049f6 call 402093 * 2 call 41b580 1429->1443 1444 4049f9-404a14 CreateEventW * 2 1429->1444 1430->1446 1443->1444 1444->1387 1446->1390
                                                                                                                            APIs
                                                                                                                            • connect.WS2_32(FFFFFFFF,004EAAB8,00000010), ref: 004048E0
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                            • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                            • API String ID: 994465650-2151626615
                                                                                                                            • Opcode ID: d1f41f3bba98414b46424997ca228f43cf48fa14e828e94416cce0836ff00388
                                                                                                                            • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                                                            • Opcode Fuzzy Hash: d1f41f3bba98414b46424997ca228f43cf48fa14e828e94416cce0836ff00388
                                                                                                                            • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                                            Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                                            • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3658366068-0
                                                                                                                            • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                            • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                            • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                            • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                                            Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                            • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                            • API String ID: 911427763-3954389425
                                                                                                                            • Opcode ID: 9c9acae8fa179761b49655df3d6bd46202ab7057940629bebce1ef37e6fb8fc4
                                                                                                                            • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                                                            • Opcode Fuzzy Hash: 9c9acae8fa179761b49655df3d6bd46202ab7057940629bebce1ef37e6fb8fc4
                                                                                                                            • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                                                            Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1556 40da6f-40da94 call 401f86 1559 40da9a 1556->1559 1560 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1556->1560 1561 40dae0-40dae7 call 41c048 1559->1561 1562 40daa1-40daa6 1559->1562 1563 40db93-40db98 1559->1563 1564 40dad6-40dadb 1559->1564 1565 40dba9 1559->1565 1566 40db9a-40db9f call 43c11f 1559->1566 1567 40daab-40dab9 call 41b645 call 401f13 1559->1567 1568 40dacc-40dad1 1559->1568 1569 40db8c-40db91 1559->1569 1582 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1561->1582 1583 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1561->1583 1571 40dbae-40dbb3 call 43c11f 1562->1571 1563->1571 1564->1571 1565->1571 1578 40dba4-40dba7 1566->1578 1590 40dabe 1567->1590 1568->1571 1569->1571 1584 40dbb4-40dbb9 call 409092 1571->1584 1578->1565 1578->1584 1595 40dac2-40dac7 call 401f09 1582->1595 1583->1590 1584->1560 1590->1595 1595->1560
                                                                                                                            APIs
                                                                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LongNamePath
                                                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                            • API String ID: 82841172-425784914
                                                                                                                            • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                                                                                                            • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                            • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                                                                                                            • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                                            Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1689 41c482-41c493 1690 41c495-41c498 1689->1690 1691 41c4ab-41c4b2 1689->1691 1693 41c4a1-41c4a9 1690->1693 1694 41c49a-41c49f 1690->1694 1692 41c4b3-41c4cc CreateFileW 1691->1692 1695 41c4d2-41c4d7 1692->1695 1696 41c4ce-41c4d0 1692->1696 1693->1692 1694->1692 1698 41c4f2-41c503 WriteFile 1695->1698 1699 41c4d9-41c4e7 SetFilePointer 1695->1699 1697 41c510-41c515 1696->1697 1701 41c505 1698->1701 1702 41c507-41c50e CloseHandle 1698->1702 1699->1698 1700 41c4e9-41c4f0 CloseHandle 1699->1700 1700->1696 1701->1702 1702->1697
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                            • String ID: xpF
                                                                                                                            • API String ID: 1852769593-354647465
                                                                                                                            • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                            • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                            • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                            • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                            Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                              • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                              • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                              • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                              • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                            • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                            • API String ID: 782494840-2070987746
                                                                                                                            • Opcode ID: 70aeebfde4e8ccf81da31cba9b4afeb78651f6f58e4fc5e743a82ff9474bbeff
                                                                                                                            • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                                                            • Opcode Fuzzy Hash: 70aeebfde4e8ccf81da31cba9b4afeb78651f6f58e4fc5e743a82ff9474bbeff
                                                                                                                            • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                                                            Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                              • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099061454-0
                                                                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                            Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CountEventTick
                                                                                                                            • String ID: !D@$,aF$NG
                                                                                                                            • API String ID: 180926312-2771706352
                                                                                                                            • Opcode ID: b50a17d1fabeecf89797dbc75c8850f600dd65fa856d07d01f0ad9db43714077
                                                                                                                            • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                                                            • Opcode Fuzzy Hash: b50a17d1fabeecf89797dbc75c8850f600dd65fa856d07d01f0ad9db43714077
                                                                                                                            • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                                                            Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                            • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                            • String ID: XQG
                                                                                                                            • API String ID: 1958988193-3606453820
                                                                                                                            • Opcode ID: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                                                                                                            • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                                                            • Opcode Fuzzy Hash: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                                                                                                            • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                                                            Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                              • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099061454-0
                                                                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                            Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2152742572-0
                                                                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                            Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                                                            • String ID: Offline Keylogger Started
                                                                                                                            • API String ID: 465354869-4114347211
                                                                                                                            • Opcode ID: d3f8bb2804ff29de7431fbaabea497dd7945a2d4dec367e859110d7e981f279b
                                                                                                                            • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                            • Opcode Fuzzy Hash: d3f8bb2804ff29de7431fbaabea497dd7945a2d4dec367e859110d7e981f279b
                                                                                                                            • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                            Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                            • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateValue
                                                                                                                            • String ID: pth_unenc
                                                                                                                            • API String ID: 1818849710-4028850238
                                                                                                                            • Opcode ID: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                                                                            • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                            • Opcode Fuzzy Hash: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                                                                            • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                            Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3360349984-0
                                                                                                                            • Opcode ID: 028fe8f6fecc2507a37e94400a5d89d3ce99a4c931556f406eb49177b4af90ff
                                                                                                                            • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                            • Opcode Fuzzy Hash: 028fe8f6fecc2507a37e94400a5d89d3ce99a4c931556f406eb49177b4af90ff
                                                                                                                            • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                            Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3919263394-0
                                                                                                                            • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                                                                                                            • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                            • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                                                                                                            • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                            Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                            • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastMutex
                                                                                                                            • String ID: Rmc-8AXK3L
                                                                                                                            • API String ID: 1925916568-2005171754
                                                                                                                            • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                                                                                            • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                                                            • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                                                                                            • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                                                            Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                            • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EventObjectSingleWaitsend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3963590051-0
                                                                                                                            • Opcode ID: 80c7fea73abe22e7e454ca4c608e8bd367ca1317486abb7208023f805754322d
                                                                                                                            • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                                                            • Opcode Fuzzy Hash: 80c7fea73abe22e7e454ca4c608e8bd367ca1317486abb7208023f805754322d
                                                                                                                            • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                                                            Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3677997916-0
                                                                                                                            • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                                                                                                            • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                            • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                                                                                                            • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                            Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3677997916-0
                                                                                                                            • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                            • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                                                            • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                            • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                                                            Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3677997916-0
                                                                                                                            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                            • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                            • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                            Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3677997916-0
                                                                                                                            • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                            • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                                                            • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                            • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                                                            Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                            • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                            • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1818849710-0
                                                                                                                            • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                            • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                            • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                            • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                            Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen
                                                                                                                            • String ID: pQG
                                                                                                                            • API String ID: 176396367-3769108836
                                                                                                                            • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                                                            • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                                                                            • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                                                                            • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                                                                            Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 1890195054-2766056989
                                                                                                                            • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                            • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                                                                            • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                            • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                                                                            Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 00446227
                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap$_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1482568997-0
                                                                                                                            • Opcode ID: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                                                                                            • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                                                                            • Opcode Fuzzy Hash: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                                                                                            • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                                                                            Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                                              • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateEventStartupsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1953588214-0
                                                                                                                            • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                                                            • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                                                                            • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                                                            • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                                                            Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                            • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                            • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                            • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                            Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ForegroundText
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 29597999-0
                                                                                                                            • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                            • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                                                            • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                            • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                                                            Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                                                                              • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                              • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                              • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                              • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                              • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                              • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                              • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                              • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1170566393-0
                                                                                                                            • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                                                                            • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                                                                                                            • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                                                                            • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                                                                                                            Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                            • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                                                                            • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                            • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                                                                            Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1279760036-0
                                                                                                                            • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                            • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                            • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                            • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                            Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Startup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 724789610-0
                                                                                                                            • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                                                            • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                                                                            • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                                                            • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                                                                            Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Deallocatestd::_
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1323251999-0
                                                                                                                            • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                            • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                            • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                            • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                                                            Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: recv
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1507349165-0
                                                                                                                            • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                            • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                                                            • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                            • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                                                            Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: send
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2809346765-0
                                                                                                                            • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                            • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                                                            • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                            • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                                                                            Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                            • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                                                            • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                            • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                              • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                                              • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                                              • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                              • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                              • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                              • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                              • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                                                              • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                            • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                                                            • API String ID: 1067849700-414524693
                                                                                                                            • Opcode ID: 5efb29e26335e435e9af48c2ee0bf85a9cc48e0febb065a4a92f0298bf37a671
                                                                                                                            • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                                                            • Opcode Fuzzy Hash: 5efb29e26335e435e9af48c2ee0bf85a9cc48e0febb065a4a92f0298bf37a671
                                                                                                                            • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                                                            Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                                                                                            • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                                                            • API String ID: 2994406822-18413064
                                                                                                                            • Opcode ID: 693c4ca80acef2cf7bdd957ce53c30dfdc6cf14a9f4671f6684a56b4ee471d7b
                                                                                                                            • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                                                            • Opcode Fuzzy Hash: 693c4ca80acef2cf7bdd957ce53c30dfdc6cf14a9f4671f6684a56b4ee471d7b
                                                                                                                            • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                                                            Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                              • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                              • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                              • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                            • API String ID: 3018269243-13974260
                                                                                                                            • Opcode ID: 9a5ba9b4b03670584ffb4c6890411b8f38dc25bc905199d0c15dc5b277b6b64a
                                                                                                                            • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                                                            • Opcode Fuzzy Hash: 9a5ba9b4b03670584ffb4c6890411b8f38dc25bc905199d0c15dc5b277b6b64a
                                                                                                                            • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                                                            Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                            • API String ID: 1164774033-3681987949
                                                                                                                            • Opcode ID: d2dc86a614cac2b64c6827eb647474321e8c1ca518b6b664f4ee5acdf4b71c4b
                                                                                                                            • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                            • Opcode Fuzzy Hash: d2dc86a614cac2b64c6827eb647474321e8c1ca518b6b664f4ee5acdf4b71c4b
                                                                                                                            • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                            Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenClipboard.USER32 ref: 004168FD
                                                                                                                            • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                            • CloseClipboard.USER32 ref: 00416990
                                                                                                                            • OpenClipboard.USER32 ref: 00416997
                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                            • CloseClipboard.USER32 ref: 004169BF
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                            • String ID: !D@$xdF
                                                                                                                            • API String ID: 3520204547-3540039394
                                                                                                                            • Opcode ID: 9cab9b0f126b9d60ce7e7379df1bc3ac70d3b23814c3edc7a60d6a19f5c8be0b
                                                                                                                            • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                                                            • Opcode Fuzzy Hash: 9cab9b0f126b9d60ce7e7379df1bc3ac70d3b23814c3edc7a60d6a19f5c8be0b
                                                                                                                            • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                            Function 0040F4AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF
                                                                                                                            • API String ID: 3756808967-2341171916
                                                                                                                            • Opcode ID: b497da3ca9fef48ee233e55080cf965d0633f92067614ac1a4c410598efe4c0d
                                                                                                                            • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                                                            • Opcode Fuzzy Hash: b497da3ca9fef48ee233e55080cf965d0633f92067614ac1a4c410598efe4c0d
                                                                                                                            • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                            Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                            • API String ID: 3527384056-432212279
                                                                                                                            • Opcode ID: 005bb3c3c169fa2a82a834ab6bfa2752b8427a5e4a8d659a7a7b03f2dc84f872
                                                                                                                            • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                            • Opcode Fuzzy Hash: 005bb3c3c169fa2a82a834ab6bfa2752b8427a5e4a8d659a7a7b03f2dc84f872
                                                                                                                            • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                            Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 297527592-0
                                                                                                                            • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                                                            • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                                                            • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                                                                            • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                            Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                                                            • API String ID: 0-1861860590
                                                                                                                            • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                                                            • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                                                            • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                                                                            • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                            Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                              • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                              • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                              • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                              • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                            • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                                                                                                            • API String ID: 1589313981-3345310279
                                                                                                                            • Opcode ID: 8bc0f8375761edb47c54808e2b1239fbaac277fafa3eb5207d513464c2f7f54c
                                                                                                                            • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                            • Opcode Fuzzy Hash: 8bc0f8375761edb47c54808e2b1239fbaac277fafa3eb5207d513464c2f7f54c
                                                                                                                            • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                            Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 0040755C
                                                                                                                            • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Object_wcslen
                                                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                            • API String ID: 240030777-3166923314
                                                                                                                            • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                            • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                            • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                            • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                            Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                            • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3587775597-0
                                                                                                                            • Opcode ID: 9816c30dbe394c6d524d412892c8543da7174021f6f617124b5cdd31ab9446d7
                                                                                                                            • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                            • Opcode Fuzzy Hash: 9816c30dbe394c6d524d412892c8543da7174021f6f617124b5cdd31ab9446d7
                                                                                                                            • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                            Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                                                            • String ID: 8SG$8eF$PXG$PXG$NG$PG
                                                                                                                            • API String ID: 341183262-432830541
                                                                                                                            • Opcode ID: b1db4a5a3be40e341bb9cdbfef9e6ed632d4ce7e1eafa0df89fe973488a51f0c
                                                                                                                            • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                                                            • Opcode Fuzzy Hash: b1db4a5a3be40e341bb9cdbfef9e6ed632d4ce7e1eafa0df89fe973488a51f0c
                                                                                                                            • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                            Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                            • API String ID: 1164774033-405221262
                                                                                                                            • Opcode ID: 5ed3b41428f8b2cdda3014a100c4dac4a4add0d0ae102e093268bf9ba78ad219
                                                                                                                            • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                            • Opcode Fuzzy Hash: 5ed3b41428f8b2cdda3014a100c4dac4a4add0d0ae102e093268bf9ba78ad219
                                                                                                                            • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                            Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                                                                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2341273852-0
                                                                                                                            • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                            • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                            • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                            • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                            Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                            • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                            • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                                                                                            • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                            • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1888522110-0
                                                                                                                            • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                                                            • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                                                            • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                                                            • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                                                            Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                            • API String ID: 2127411465-314212984
                                                                                                                            • Opcode ID: 06d1a5a76b017135f0c7cd2769cc20c356054c85bde5a99e38e605f8f467306c
                                                                                                                            • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                                                            • Opcode Fuzzy Hash: 06d1a5a76b017135f0c7cd2769cc20c356054c85bde5a99e38e605f8f467306c
                                                                                                                            • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                                                            Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                            Strings
                                                                                                                            • 0aF, xrefs: 0040701B
                                                                                                                            • open, xrefs: 00406FF1
                                                                                                                            • C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, xrefs: 00407042, 0040716A
                                                                                                                            • 0aF, xrefs: 0040712C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DownloadExecuteFileShell
                                                                                                                            • String ID: 0aF$0aF$C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$open
                                                                                                                            • API String ID: 2825088817-2165226259
                                                                                                                            • Opcode ID: 923720e91b3b93ced022c8f09402ffdeef5ac1de3faef11556d055e1baddb03d
                                                                                                                            • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                                                            • Opcode Fuzzy Hash: 923720e91b3b93ced022c8f09402ffdeef5ac1de3faef11556d055e1baddb03d
                                                                                                                            • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                                                            Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                            • String ID: xdF
                                                                                                                            • API String ID: 1771804793-999140092
                                                                                                                            • Opcode ID: 2d3ba0ca0dc72d432722469e1d6484c40dd4114f0b76abad64f27a2160808522
                                                                                                                            • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                                                            • Opcode Fuzzy Hash: 2d3ba0ca0dc72d432722469e1d6484c40dd4114f0b76abad64f27a2160808522
                                                                                                                            • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                                                            Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                            • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                            Strings
                                                                                                                            • UserProfile, xrefs: 0040BA59
                                                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                            • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                            • API String ID: 2018770650-1062637481
                                                                                                                            • Opcode ID: da590471c171d91861b96d53a82fbeb74457954862d93b664b5ed17c9f3159e2
                                                                                                                            • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                            • Opcode Fuzzy Hash: da590471c171d91861b96d53a82fbeb74457954862d93b664b5ed17c9f3159e2
                                                                                                                            • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                            Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                            • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                            • API String ID: 3534403312-3733053543
                                                                                                                            • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                            • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                            • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                            • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                            Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __floor_pentium4
                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                                            • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                            • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                                                                                            • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                            • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                                                                                            Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,004EAAB8,00000010), ref: 004048E0
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                              • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                              • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1824512719-0
                                                                                                                            • Opcode ID: 044e6ce9008766a7a65a768aac80fc5d211b037577fdaa00de3e6a49aea5e753
                                                                                                                            • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                                                            • Opcode Fuzzy Hash: 044e6ce9008766a7a65a768aac80fc5d211b037577fdaa00de3e6a49aea5e753
                                                                                                                            • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                            Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 276877138-0
                                                                                                                            • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                                                                                                            • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                            • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                                                                                                            • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                            Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                                                            • GetACP.KERNEL32 ref: 00452593
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID: ACP$OCP
                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                            • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                            • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                            • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                            • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                            Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$FirstNextsend
                                                                                                                            • String ID: 8eF$XPG$XPG
                                                                                                                            • API String ID: 4113138495-4157548504
                                                                                                                            • Opcode ID: 9c076ed0e53783146bb9a961fa22fc637ca0dfbcf462d17139775671e6fa276d
                                                                                                                            • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                                                            • Opcode Fuzzy Hash: 9c076ed0e53783146bb9a961fa22fc637ca0dfbcf462d17139775671e6fa276d
                                                                                                                            • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                                                            Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                              • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                              • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                                                                                              • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                            • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                            • API String ID: 4127273184-3126330168
                                                                                                                            • Opcode ID: 66999e3142bd33a62fa1d08061f300942aa72122ed75466f2ef34f9b656b6348
                                                                                                                            • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                            • Opcode Fuzzy Hash: 66999e3142bd33a62fa1d08061f300942aa72122ed75466f2ef34f9b656b6348
                                                                                                                            • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                            Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                            • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                            • String ID: SETTINGS
                                                                                                                            • API String ID: 3473537107-594951305
                                                                                                                            • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                            • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                                                            • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                            • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                                                            Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1157919129-0
                                                                                                                            • Opcode ID: 04186a96ba2563a4797b96822061498dac0f2627b0c95c6eb73685e596428a85
                                                                                                                            • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                                                            • Opcode Fuzzy Hash: 04186a96ba2563a4797b96822061498dac0f2627b0c95c6eb73685e596428a85
                                                                                                                            • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                            Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                            • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 745075371-0
                                                                                                                            • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                            • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                            • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                            • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                            Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                              • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                              • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                                                                                              • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                                            • Opcode ID: b83fbb2b8fa876a7ee392f93db0cc41ed7c2a644b20705d4c73ee98bc25cb89b
                                                                                                                            • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                                                            • Opcode Fuzzy Hash: b83fbb2b8fa876a7ee392f93db0cc41ed7c2a644b20705d4c73ee98bc25cb89b
                                                                                                                            • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                                                            Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4212172061-0
                                                                                                                            • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                            • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                            • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                            • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                            Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 0044943D
                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                            • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 806657224-0
                                                                                                                            • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                            • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                                                            • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                            • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                                                            Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2829624132-0
                                                                                                                            • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                            • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                            • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                            • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                            Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3906539128-0
                                                                                                                            • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                            • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                            • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                            • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                            Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3906539128-0
                                                                                                                            • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                            • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                            • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                            • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                            Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                            • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1703294689-0
                                                                                                                            • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                            • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                            • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                            • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                            Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                                                            • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1703294689-0
                                                                                                                            • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                            • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                            • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                            • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                            Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                                                            • CloseClipboard.USER32 ref: 0040B760
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard$CloseDataOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2058664381-0
                                                                                                                            • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                            • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                            • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                            • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                            Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                                                            • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseHandleOpenResume
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3614150671-0
                                                                                                                            • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                                                            • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                                                                                            • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                                                            • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                                                                                            Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                                                            • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseHandleOpenSuspend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1999457699-0
                                                                                                                            • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                            • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                                                                                            • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                            • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                                                                                            Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                            • String ID: MZ@
                                                                                                                            • API String ID: 2325560087-2978689999
                                                                                                                            • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                            • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                            • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                            • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                            Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                                            • API String ID: 2299586839-2904428671
                                                                                                                            • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                                                            • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                            • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                                                            • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                            Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                            • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                                            • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                            • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                                            Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                            • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                                                            • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                            • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                                                            Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                            • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                                                                                            • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                            • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                                                                                            Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 0-4108050209
                                                                                                                            • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                            • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                                                                                            • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                            • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                                                                                            Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1663032902-0
                                                                                                                            • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                            • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                            • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                            • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                            Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                            • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1084509184-0
                                                                                                                            • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                            • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                            • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                            • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                            Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2692324296-0
                                                                                                                            • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                            • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                            • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                            • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                            Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                            • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1084509184-0
                                                                                                                            • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                            • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                            • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                            • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                            Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                            • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1272433827-0
                                                                                                                            • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                            • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                            • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                            • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                            Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                            • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1084509184-0
                                                                                                                            • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                            • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                            • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                            • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                            Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                            • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                            • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 0-2766056989
                                                                                                                            • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                            • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                                                                                            • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                            • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                                                                                            Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                            • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                                                            • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                            • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                                                            Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                            • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                                                                                            • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                            • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                                                                                            Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                            • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                                                                                            • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                            • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                                                                                            Function 0042742E Relevance: .4, Instructions: 435COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                            • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                                                                                            • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                            • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                                                                                            Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                            • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                                                                                            • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                            • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                                                                                            Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                            • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                                                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                            • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                                                                                            Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                            • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                                                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                            • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                                                                                            Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                            • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                                                                                            • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                            • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                                                                                            Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                            • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                                                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                            • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                                                                                            Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                            • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                                                                                            • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                            • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                                                                                            Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                            • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                                                                                            • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                            • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                                                                                            Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                            • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                                                                                            • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                            • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                                                                                            Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                            • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                                                                                            • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                            • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                                                                                            Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                            • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                                                                                            • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                            • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                                                                                            Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                            • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                                                                                            • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                            • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                                                                                            Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                            • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                            • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                                                                                            Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                              • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                            • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                                                            • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                                                            • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                            • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                            • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                            • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                                            • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                            • String ID: DISPLAY
                                                                                                                            • API String ID: 4256916514-865373369
                                                                                                                            • Opcode ID: ffd388d4ec936dbbb1385cc7080cf814136728652839159dea317dec95857077
                                                                                                                            • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                                                            • Opcode Fuzzy Hash: ffd388d4ec936dbbb1385cc7080cf814136728652839159dea317dec95857077
                                                                                                                            • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                            Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                              • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                              • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                            • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                                                                                                            • API String ID: 1861856835-1269936466
                                                                                                                            • Opcode ID: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                                                                                                            • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                                                            • Opcode Fuzzy Hash: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                                                                                                            • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                                                            Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                              • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                                                                                                            • API String ID: 3797177996-2858374497
                                                                                                                            • Opcode ID: 34cd123ecbe0fbb66d1e9573fb98715e399d3e63f3b6ffe41a95305b2ad0a746
                                                                                                                            • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                                                            • Opcode Fuzzy Hash: 34cd123ecbe0fbb66d1e9573fb98715e399d3e63f3b6ffe41a95305b2ad0a746
                                                                                                                            • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                                                            Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                            • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                            • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                              • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                            • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                                                            • API String ID: 2649220323-436679193
                                                                                                                            • Opcode ID: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                                                                                                            • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                                                            • Opcode Fuzzy Hash: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                                                                                                            • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                                                            Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                            • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                            • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                                                            • API String ID: 738084811-2094122233
                                                                                                                            • Opcode ID: 3fe9592b37fc2e639539238b33f76feb867b04b5b7d70fe4361fb43eb3ba89a1
                                                                                                                            • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                                                            • Opcode Fuzzy Hash: 3fe9592b37fc2e639539238b33f76feb867b04b5b7d70fe4361fb43eb3ba89a1
                                                                                                                            • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                                                            Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                                                            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                                                            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                                                            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Write$Create
                                                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                                                            • API String ID: 1602526932-4212202414
                                                                                                                            • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                            • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                                                            • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                            • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                                                            Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                            • API String ID: 1646373207-3312983855
                                                                                                                            • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                            • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                                                            • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                            • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                                                            Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                              • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                              • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                            • _strlen.LIBCMT ref: 10001855
                                                                                                                            • _strlen.LIBCMT ref: 10001869
                                                                                                                            • _strlen.LIBCMT ref: 1000188B
                                                                                                                            • _strlen.LIBCMT ref: 100018AE
                                                                                                                            • _strlen.LIBCMT ref: 100018C8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                            • API String ID: 3296212668-3023110444
                                                                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                            Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                                                            • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                            • _wcslen.LIBCMT ref: 0040D001
                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                            • String ID: 6$C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$del$open$xdF
                                                                                                                            • API String ID: 1579085052-1695296946
                                                                                                                            • Opcode ID: 67cef1adcfe88fd22df7b52a543a2cc75cd07b451cd594fc2d60d423c6f0af38
                                                                                                                            • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                                                            • Opcode Fuzzy Hash: 67cef1adcfe88fd22df7b52a543a2cc75cd07b451cd594fc2d60d423c6f0af38
                                                                                                                            • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                                                            Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                            • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                            • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                            • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                            • String ID: ?
                                                                                                                            • API String ID: 3941738427-1684325040
                                                                                                                            • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                            • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                            • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                            • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                            Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strlen
                                                                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                            • API String ID: 4218353326-230879103
                                                                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                            Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3899193279-0
                                                                                                                            • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                            • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                            • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                            • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                            Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                            • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                                                                                                            • API String ID: 3086580692-3944908133
                                                                                                                            • Opcode ID: 10e7657350ea5cd0a06bdb738adb399af773a9676722d030367e354300d82033
                                                                                                                            • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                                                            • Opcode Fuzzy Hash: 10e7657350ea5cd0a06bdb738adb399af773a9676722d030367e354300d82033
                                                                                                                            • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                                                            Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                            • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                                                            • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                            • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                            • String ID: Close
                                                                                                                            • API String ID: 1657328048-3535843008
                                                                                                                            • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                            • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                                                            • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                            • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                                                            Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$Info
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2509303402-0
                                                                                                                            • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                                                                            • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                            • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                                                                            • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                            Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                              • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                                                                              • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                                              • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xdF
                                                                                                                            • API String ID: 1913171305-1736969612
                                                                                                                            • Opcode ID: d851455904b27b15f821b1239c4d8c5e889b136620947c0d327408f76a40a518
                                                                                                                            • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                                                            • Opcode Fuzzy Hash: d851455904b27b15f821b1239c4d8c5e889b136620947c0d327408f76a40a518
                                                                                                                            • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                                                            Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                            • String ID: \ws2_32$\wship6$getaddrinfo
                                                                                                                            • API String ID: 2490988753-3078833738
                                                                                                                            • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                            • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                                                            • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                            • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                                                            Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                            • _free.LIBCMT ref: 10007CFB
                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                            • _free.LIBCMT ref: 10007D1D
                                                                                                                            • _free.LIBCMT ref: 10007D32
                                                                                                                            • _free.LIBCMT ref: 10007D3D
                                                                                                                            • _free.LIBCMT ref: 10007D5F
                                                                                                                            • _free.LIBCMT ref: 10007D72
                                                                                                                            • _free.LIBCMT ref: 10007D80
                                                                                                                            • _free.LIBCMT ref: 10007D8B
                                                                                                                            • _free.LIBCMT ref: 10007DC3
                                                                                                                            • _free.LIBCMT ref: 10007DCA
                                                                                                                            • _free.LIBCMT ref: 10007DE7
                                                                                                                            • _free.LIBCMT ref: 10007DFF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 161543041-0
                                                                                                                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                            Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                            • _free.LIBCMT ref: 0045137F
                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                            • _free.LIBCMT ref: 004513A1
                                                                                                                            • _free.LIBCMT ref: 004513B6
                                                                                                                            • _free.LIBCMT ref: 004513C1
                                                                                                                            • _free.LIBCMT ref: 004513E3
                                                                                                                            • _free.LIBCMT ref: 004513F6
                                                                                                                            • _free.LIBCMT ref: 00451404
                                                                                                                            • _free.LIBCMT ref: 0045140F
                                                                                                                            • _free.LIBCMT ref: 00451447
                                                                                                                            • _free.LIBCMT ref: 0045144E
                                                                                                                            • _free.LIBCMT ref: 0045146B
                                                                                                                            • _free.LIBCMT ref: 00451483
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 161543041-0
                                                                                                                            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                            • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                            • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                            Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                                                            • API String ID: 489098229-1431523004
                                                                                                                            • Opcode ID: 6c69917a1bea05d3ed4b1a49cde951d5b90c700d53d87411cb27136286aa310f
                                                                                                                            • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                                                            • Opcode Fuzzy Hash: 6c69917a1bea05d3ed4b1a49cde951d5b90c700d53d87411cb27136286aa310f
                                                                                                                            • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                                                            Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 269201875-0
                                                                                                                            • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                            • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                                            • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                            • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                                            Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                                                            • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                            • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                                                            • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                            • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                            • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                            • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                            • String ID: H
                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                            • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                            • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                            • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                            • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                            Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: \&G$\&G$`&G
                                                                                                                            • API String ID: 269201875-253610517
                                                                                                                            • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                                                            • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                            • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                                                            • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                            Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 65535$udp
                                                                                                                            • API String ID: 0-1267037602
                                                                                                                            • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                            • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                            • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                            • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                            Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenClipboard.USER32 ref: 0041697C
                                                                                                                            • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                            • CloseClipboard.USER32 ref: 00416990
                                                                                                                            • OpenClipboard.USER32 ref: 00416997
                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                            • CloseClipboard.USER32 ref: 004169BF
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                            • String ID: !D@$xdF
                                                                                                                            • API String ID: 2172192267-3540039394
                                                                                                                            • Opcode ID: e41b4279dff7338a0e0a95efc4e84d7937d6a7eecd119ff92af5e5d562fb9817
                                                                                                                            • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                                                            • Opcode Fuzzy Hash: e41b4279dff7338a0e0a95efc4e84d7937d6a7eecd119ff92af5e5d562fb9817
                                                                                                                            • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                            Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                            • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                            • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                            • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                            • _free.LIBCMT ref: 0043A9C3
                                                                                                                            • _free.LIBCMT ref: 0043A9CA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2441525078-0
                                                                                                                            • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                                            • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                            • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                                            • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                            Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                                            • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                            • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                            • API String ID: 2956720200-749203953
                                                                                                                            • Opcode ID: ff1700ff3f067e6a142f53aca625504b2449791c3f6ba2f0885e6c12ba2f36a6
                                                                                                                            • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                                                            • Opcode Fuzzy Hash: ff1700ff3f067e6a142f53aca625504b2449791c3f6ba2f0885e6c12ba2f36a6
                                                                                                                            • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                                                            Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                                                                              • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                              • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                            • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                                                                                                            • API String ID: 3114080316-4028018678
                                                                                                                            • Opcode ID: 8314652676e1213d1a23995760953cf221b511936c2ccf43d8bb0606954b2446
                                                                                                                            • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                                                            • Opcode Fuzzy Hash: 8314652676e1213d1a23995760953cf221b511936c2ccf43d8bb0606954b2446
                                                                                                                            • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                                                            Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                            • String ID: 0VG$0VG$<$@$Temp
                                                                                                                            • API String ID: 1704390241-2575729100
                                                                                                                            • Opcode ID: 15ac03a660efee492055f90e0b0932c445f05500fc87ae5ac7d0290e78555198
                                                                                                                            • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                                                            • Opcode Fuzzy Hash: 15ac03a660efee492055f90e0b0932c445f05500fc87ae5ac7d0290e78555198
                                                                                                                            • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                            Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                            • int.LIBCPMT ref: 00410EBC
                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                            • String ID: ,kG$0kG$@!G
                                                                                                                            • API String ID: 3815856325-312998898
                                                                                                                            • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                                                                                                            • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                                                            • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                                                                                                            • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                                                            Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 221034970-0
                                                                                                                            • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                                                                                                            • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                            • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                                                                                                            • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                            Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 100059EA
                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                            • _free.LIBCMT ref: 100059F6
                                                                                                                            • _free.LIBCMT ref: 10005A01
                                                                                                                            • _free.LIBCMT ref: 10005A0C
                                                                                                                            • _free.LIBCMT ref: 10005A17
                                                                                                                            • _free.LIBCMT ref: 10005A22
                                                                                                                            • _free.LIBCMT ref: 10005A2D
                                                                                                                            • _free.LIBCMT ref: 10005A38
                                                                                                                            • _free.LIBCMT ref: 10005A43
                                                                                                                            • _free.LIBCMT ref: 10005A51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                            Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 004481B5
                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                            • _free.LIBCMT ref: 004481C1
                                                                                                                            • _free.LIBCMT ref: 004481CC
                                                                                                                            • _free.LIBCMT ref: 004481D7
                                                                                                                            • _free.LIBCMT ref: 004481E2
                                                                                                                            • _free.LIBCMT ref: 004481ED
                                                                                                                            • _free.LIBCMT ref: 004481F8
                                                                                                                            • _free.LIBCMT ref: 00448203
                                                                                                                            • _free.LIBCMT ref: 0044820E
                                                                                                                            • _free.LIBCMT ref: 0044821C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                            • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                            • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                            • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                            Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Eventinet_ntoa
                                                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                                                            • API String ID: 3578746661-3604713145
                                                                                                                            • Opcode ID: 37b24890b43118d2bd0dbc6762a8763a9817e5e6198c39fa7d1cd3deecc6fdfd
                                                                                                                            • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                                                            • Opcode Fuzzy Hash: 37b24890b43118d2bd0dbc6762a8763a9817e5e6198c39fa7d1cd3deecc6fdfd
                                                                                                                            • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                                                            Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                            • API String ID: 1462127192-2001430897
                                                                                                                            • Opcode ID: 884f4579b335b9522e0b9f02f2a59fc1abc424defd4a4a303e7988d294b4aa8d
                                                                                                                            • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                                                            • Opcode Fuzzy Hash: 884f4579b335b9522e0b9f02f2a59fc1abc424defd4a4a303e7988d294b4aa8d
                                                                                                                            • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                            Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe), ref: 004074D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentProcess
                                                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                            • API String ID: 2050909247-4242073005
                                                                                                                            • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                                                            • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                                                            • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                                                            • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                                                            Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _strftime.LIBCMT ref: 00401D50
                                                                                                                              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                                                                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                                                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                                                            • API String ID: 3809562944-243156785
                                                                                                                            • Opcode ID: e9e486b52de65f64e2db095342b04cfb89b1ee2b3da0066637c7c6b3f53950d1
                                                                                                                            • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                                                            • Opcode Fuzzy Hash: e9e486b52de65f64e2db095342b04cfb89b1ee2b3da0066637c7c6b3f53950d1
                                                                                                                            • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                                                            Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                                                            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                                                                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                                                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                                                            • waveInStart.WINMM ref: 00401CFE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                            • String ID: dMG$|MG$PG
                                                                                                                            • API String ID: 1356121797-532278878
                                                                                                                            • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                                                                                                            • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                                                            • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                                                                                                            • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                                                            Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                              • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                              • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                              • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                                                            • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                            • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                            • String ID: Remcos
                                                                                                                            • API String ID: 1970332568-165870891
                                                                                                                            • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                            • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                                                            • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                            • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                                                            Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                                            • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                            • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                                            • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                            Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                                                            • __freea.LIBCMT ref: 00454083
                                                                                                                            • __freea.LIBCMT ref: 0045408F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 201697637-0
                                                                                                                            • Opcode ID: 60ef2ba7967959a3bb5abb213fcabd91113b8325e5b7fdcf5ca33ed2e0ecdaf3
                                                                                                                            • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                            • Opcode Fuzzy Hash: 60ef2ba7967959a3bb5abb213fcabd91113b8325e5b7fdcf5ca33ed2e0ecdaf3
                                                                                                                            • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                            Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1454806937-0
                                                                                                                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                            Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                            • _free.LIBCMT ref: 00445515
                                                                                                                            • _free.LIBCMT ref: 0044552E
                                                                                                                            • _free.LIBCMT ref: 00445560
                                                                                                                            • _free.LIBCMT ref: 00445569
                                                                                                                            • _free.LIBCMT ref: 00445575
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                            • String ID: C
                                                                                                                            • API String ID: 1679612858-1037565863
                                                                                                                            • Opcode ID: 6f1d39b58dd635c4ed11e96029a3cbcd4864377c401e683a9a2b4ff7d9f0077f
                                                                                                                            • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                            • Opcode Fuzzy Hash: 6f1d39b58dd635c4ed11e96029a3cbcd4864377c401e683a9a2b4ff7d9f0077f
                                                                                                                            • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                            Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: tcp$udp
                                                                                                                            • API String ID: 0-3725065008
                                                                                                                            • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                            • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                            • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                            • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                            Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                            • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                            • String ID: PkG$XMG$NG$NG
                                                                                                                            • API String ID: 1649129571-3151166067
                                                                                                                            • Opcode ID: 7ddfdf43d04edfc8f172cd676b620cafa9da6c32b053e7a5d40d2a93e82dce8d
                                                                                                                            • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                                                            • Opcode Fuzzy Hash: 7ddfdf43d04edfc8f172cd676b620cafa9da6c32b053e7a5d40d2a93e82dce8d
                                                                                                                            • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                                                            Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                                                              • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                            • String ID: .part
                                                                                                                            • API String ID: 1303771098-3499674018
                                                                                                                            • Opcode ID: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                                                                                                            • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                            • Opcode Fuzzy Hash: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                                                                                                            • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                            Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                                                            • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Console$Window$AllocOutputShow
                                                                                                                            • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                                                                                            • API String ID: 4067487056-2212855755
                                                                                                                            • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                            • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                                                            • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                            • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                                                            Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                            • __freea.LIBCMT ref: 0044AEB0
                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            • __freea.LIBCMT ref: 0044AEB9
                                                                                                                            • __freea.LIBCMT ref: 0044AEDE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3864826663-0
                                                                                                                            • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                                            • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                            • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                                            • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                            Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendInput.USER32 ref: 00419A25
                                                                                                                            • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                            • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                              • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InputSend$Virtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1167301434-0
                                                                                                                            • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                            • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                            • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                            • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                            Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __freea$__alloca_probe_16_free
                                                                                                                            • String ID: a/p$am/pm$h{D
                                                                                                                            • API String ID: 2936374016-2303565833
                                                                                                                            • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                                            • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                            • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                                            • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                            Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            • _free.LIBCMT ref: 00444E87
                                                                                                                            • _free.LIBCMT ref: 00444E9E
                                                                                                                            • _free.LIBCMT ref: 00444EBD
                                                                                                                            • _free.LIBCMT ref: 00444ED8
                                                                                                                            • _free.LIBCMT ref: 00444EEF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$AllocateHeap
                                                                                                                            • String ID: KED
                                                                                                                            • API String ID: 3033488037-2133951994
                                                                                                                            • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                                            • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                            • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                                            • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                            Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$InfoQueryValue
                                                                                                                            • String ID: [regsplt]$xUG$TG
                                                                                                                            • API String ID: 3554306468-1165877943
                                                                                                                            • Opcode ID: 0ca3b13ea657fb81dd7e6c05fa7c099bb84e95295b3eab936b7b06291c143594
                                                                                                                            • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                                                            • Opcode Fuzzy Hash: 0ca3b13ea657fb81dd7e6c05fa7c099bb84e95295b3eab936b7b06291c143594
                                                                                                                            • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                                                            Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                            • __fassign.LIBCMT ref: 1000954F
                                                                                                                            • __fassign.LIBCMT ref: 1000956A
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1324828854-0
                                                                                                                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                            Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                                                            • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                            • __fassign.LIBCMT ref: 0044B514
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1324828854-0
                                                                                                                            • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                            • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                            • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                            • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                            Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                            Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                                                                              • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                              • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                              • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                            • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                            • API String ID: 3286818993-122982132
                                                                                                                            • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                                                                                                            • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                            • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                                                                                                            • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                            Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                              • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                              • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                            • API String ID: 1133728706-4073444585
                                                                                                                            • Opcode ID: ef440587a6d6cf4236e1d63a8ea1adfdc050b8b925e773dc6e93ff77d594781c
                                                                                                                            • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                                                            • Opcode Fuzzy Hash: ef440587a6d6cf4236e1d63a8ea1adfdc050b8b925e773dc6e93ff77d594781c
                                                                                                                            • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                            Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                                            • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                            • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                                            • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                            Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                            • _free.LIBCMT ref: 100092AB
                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                            • _free.LIBCMT ref: 100092B6
                                                                                                                            • _free.LIBCMT ref: 100092C1
                                                                                                                            • _free.LIBCMT ref: 10009315
                                                                                                                            • _free.LIBCMT ref: 10009320
                                                                                                                            • _free.LIBCMT ref: 1000932B
                                                                                                                            • _free.LIBCMT ref: 10009336
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                            Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                            • _free.LIBCMT ref: 00450FC8
                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                            • _free.LIBCMT ref: 00450FD3
                                                                                                                            • _free.LIBCMT ref: 00450FDE
                                                                                                                            • _free.LIBCMT ref: 00451032
                                                                                                                            • _free.LIBCMT ref: 0045103D
                                                                                                                            • _free.LIBCMT ref: 00451048
                                                                                                                            • _free.LIBCMT ref: 00451053
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                            • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                            • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                            Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                            • int.LIBCPMT ref: 004111BE
                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                            • String ID: (mG
                                                                                                                            • API String ID: 2536120697-4059303827
                                                                                                                            • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                                                            • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                                                            • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                                                            • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                                                            Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                            • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3852720340-0
                                                                                                                            • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                            • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                            • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                            • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                            Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe), ref: 0040760B
                                                                                                                              • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                              • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                            • CoUninitialize.OLE32 ref: 00407664
                                                                                                                            Strings
                                                                                                                            • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                                                                                                            • [+] before ShellExec, xrefs: 0040762C
                                                                                                                            • [+] ShellExec success, xrefs: 00407649
                                                                                                                            • C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                            • String ID: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                            • API String ID: 3851391207-4230618524
                                                                                                                            • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                            • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                            • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                            • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                            Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                            • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                            Strings
                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                            • UserProfile, xrefs: 0040BAE8
                                                                                                                            • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                            • API String ID: 2018770650-304995407
                                                                                                                            • Opcode ID: 23744e4c670abd3239065d431bbbaa03e387e57c0f83022afe5b20698fc984ec
                                                                                                                            • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                            • Opcode Fuzzy Hash: 23744e4c670abd3239065d431bbbaa03e387e57c0f83022afe5b20698fc984ec
                                                                                                                            • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                            Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • Rmc-8AXK3L, xrefs: 00407715
                                                                                                                            • C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, xrefs: 004076FF
                                                                                                                            • xdF, xrefs: 004076E4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe$Rmc-8AXK3L$xdF
                                                                                                                            • API String ID: 0-2149621966
                                                                                                                            • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                                                                                                            • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                                                            • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                                                                                                            • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                                                            Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                            • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                            • __allrem.LIBCMT ref: 0043AD51
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1992179935-0
                                                                                                                            • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                            • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                            • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                            • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                            Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                            • __freea.LIBCMT ref: 10008A08
                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                            • __freea.LIBCMT ref: 10008A11
                                                                                                                            • __freea.LIBCMT ref: 10008A36
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1414292761-0
                                                                                                                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                            Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                                              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prologSleep
                                                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                                                            • API String ID: 3469354165-3054508432
                                                                                                                            • Opcode ID: 6135b1ad359d38fd6fb980c04f32d412bb3d82f3a01308be80f5f962b52adf61
                                                                                                                            • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                                                            • Opcode Fuzzy Hash: 6135b1ad359d38fd6fb980c04f32d412bb3d82f3a01308be80f5f962b52adf61
                                                                                                                            • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                                                            Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4189289331-0
                                                                                                                            • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                                                            • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                            • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                                                            • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                            Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _strlen.LIBCMT ref: 10001607
                                                                                                                            • _strcat.LIBCMT ref: 1000161D
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1922816806-0
                                                                                                                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                            Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3594823470-0
                                                                                                                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                            Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 493672254-0
                                                                                                                            • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                                                                                                            • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                            • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                                                                                                            • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                            Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3852720340-0
                                                                                                                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                            Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                            • _free.LIBCMT ref: 10005B2D
                                                                                                                            • _free.LIBCMT ref: 10005B55
                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                            • _abort.LIBCMT ref: 10005B74
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3160817290-0
                                                                                                                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                            Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                            • _free.LIBCMT ref: 004482CC
                                                                                                                            • _free.LIBCMT ref: 004482F4
                                                                                                                            • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                            • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                            • _abort.LIBCMT ref: 00448313
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3160817290-0
                                                                                                                            • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                            • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                            • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                            • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                            Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 221034970-0
                                                                                                                            • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                                                                                                            • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                            • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                                                                                                            • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                            Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 221034970-0
                                                                                                                            • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                                                                                                            • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                            • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                                                                                                            • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                            Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 221034970-0
                                                                                                                            • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                                                                                                            • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                            • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                                                                                                            • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                            Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: @^E
                                                                                                                            • API String ID: 269201875-2908066071
                                                                                                                            • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                            • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                            • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                            • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                            Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                            • API String ID: 4036392271-1520055953
                                                                                                                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                            Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                            • GetLastError.KERNEL32 ref: 0041D611
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                            • String ID: 0$MsgWindowClass
                                                                                                                            • API String ID: 2877667751-2410386613
                                                                                                                            • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                            • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                            • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                            • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                            Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                            Strings
                                                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                            • API String ID: 2922976086-4183131282
                                                                                                                            • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                            • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                            • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                            • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                            Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                            Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                            • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                            • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                            • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                            • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                            Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                            • String ID: KeepAlive | Disabled
                                                                                                                            • API String ID: 2993684571-305739064
                                                                                                                            • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                                                                                                            • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                            • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                                                                                                            • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                            Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                            • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                            • String ID: Alarm triggered
                                                                                                                            • API String ID: 614609389-2816303416
                                                                                                                            • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                                                                                                            • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                            • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                                                                                                            • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                            Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                                                            Strings
                                                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                            • API String ID: 3024135584-2418719853
                                                                                                                            • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                            • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                            • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                            • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                            Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                            • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                            • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                            • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                            Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                              • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                              • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                                                              • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2180151492-0
                                                                                                                            • Opcode ID: ff396704fe56e46d861682aa92f4022f70370c23816627ea426aa3d22105c337
                                                                                                                            • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                                                            • Opcode Fuzzy Hash: ff396704fe56e46d861682aa92f4022f70370c23816627ea426aa3d22105c337
                                                                                                                            • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                            Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 269201875-0
                                                                                                                            • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                            • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                            • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                            • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                            Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                                                            • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                                                            • __freea.LIBCMT ref: 0045129D
                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 313313983-0
                                                                                                                            • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                                            • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                            • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                                            • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                            Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                            • _free.LIBCMT ref: 100071B8
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 336800556-0
                                                                                                                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                            Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                            • _free.LIBCMT ref: 0044F43F
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 336800556-0
                                                                                                                            • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                                            • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                            • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                                            • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                            Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                            • _free.LIBCMT ref: 10005BB4
                                                                                                                            • _free.LIBCMT ref: 10005BDB
                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3170660625-0
                                                                                                                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                            Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                                                            • _free.LIBCMT ref: 00448353
                                                                                                                            • _free.LIBCMT ref: 0044837A
                                                                                                                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                                                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3170660625-0
                                                                                                                            • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                            • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                            • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                            • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                            Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2951400881-0
                                                                                                                            • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                                                            • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                                                            • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                                                            • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                                                            Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                            • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                            • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$lstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 493641738-0
                                                                                                                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                            Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 100091D0
                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                            • _free.LIBCMT ref: 100091E2
                                                                                                                            • _free.LIBCMT ref: 100091F4
                                                                                                                            • _free.LIBCMT ref: 10009206
                                                                                                                            • _free.LIBCMT ref: 10009218
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                            Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 00450A54
                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                            • _free.LIBCMT ref: 00450A66
                                                                                                                            • _free.LIBCMT ref: 00450A78
                                                                                                                            • _free.LIBCMT ref: 00450A8A
                                                                                                                            • _free.LIBCMT ref: 00450A9C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                            • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                            • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                            Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 1000536F
                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                            • _free.LIBCMT ref: 10005381
                                                                                                                            • _free.LIBCMT ref: 10005394
                                                                                                                            • _free.LIBCMT ref: 100053A5
                                                                                                                            • _free.LIBCMT ref: 100053B6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                            Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 00444106
                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                            • _free.LIBCMT ref: 00444118
                                                                                                                            • _free.LIBCMT ref: 0044412B
                                                                                                                            • _free.LIBCMT ref: 0044413C
                                                                                                                            • _free.LIBCMT ref: 0044414D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                            • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                            • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                            Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,004EAAB8,00000010), ref: 004048E0
                                                                                                                              • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                            • String ID: XQG$NG$PG
                                                                                                                            • API String ID: 1634807452-3565412412
                                                                                                                            • Opcode ID: f49fd900996373dfcc9eedd7d8b7a2d490d5d6d444fc0cdedd9848332f963db1
                                                                                                                            • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                                                            • Opcode Fuzzy Hash: f49fd900996373dfcc9eedd7d8b7a2d490d5d6d444fc0cdedd9848332f963db1
                                                                                                                            • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                                                            Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000104), ref: 10004C1D
                                                                                                                            • _free.LIBCMT ref: 10004CE8
                                                                                                                            • _free.LIBCMT ref: 10004CF2
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                            • String ID: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                            • API String ID: 2506810119-1530025509
                                                                                                                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                            Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe,00000104), ref: 00443515
                                                                                                                            • _free.LIBCMT ref: 004435E0
                                                                                                                            • _free.LIBCMT ref: 004435EA
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe, xrefs: 0044350C, 00443513, 00443542, 0044357A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                            • String ID: C:\Users\user\Desktop\17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe
                                                                                                                            • API String ID: 2506810119-1530025509
                                                                                                                            • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                            • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                            • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                            • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                            Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                            • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                            • String ID: /sort "Visit Time" /stext "$0NG
                                                                                                                            • API String ID: 368326130-3219657780
                                                                                                                            • Opcode ID: 9df00872d90208c9d5c5224bc933da9a56c7301b1e329921b6513d3aa75a1302
                                                                                                                            • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                                                            • Opcode Fuzzy Hash: 9df00872d90208c9d5c5224bc933da9a56c7301b1e329921b6513d3aa75a1302
                                                                                                                            • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                                                            Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Init_thread_footer__onexit
                                                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                                                                                                            • API String ID: 1881088180-1310280921
                                                                                                                            • Opcode ID: aab56e33057553800295abaefa9c7485b9a584f15fd26827522227e1125859f4
                                                                                                                            • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                                                            • Opcode Fuzzy Hash: aab56e33057553800295abaefa9c7485b9a584f15fd26827522227e1125859f4
                                                                                                                            • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                                                            Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 00416330
                                                                                                                              • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                              • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                              • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                              • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$CloseCreateValue
                                                                                                                            • String ID: !D@$okmode$PG
                                                                                                                            • API String ID: 3411444782-3370592832
                                                                                                                            • Opcode ID: 55bcd3e29eb10185adde02b7b305d30d03a5a32f41bb1f9664c49526529db5f6
                                                                                                                            • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                                                            • Opcode Fuzzy Hash: 55bcd3e29eb10185adde02b7b305d30d03a5a32f41bb1f9664c49526529db5f6
                                                                                                                            • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                                                            Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                                                            Strings
                                                                                                                            • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExistsFilePath
                                                                                                                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                            • API String ID: 1174141254-1980882731
                                                                                                                            • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                                                                                                            • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                            • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                                                                                                            • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                            Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                                                            Strings
                                                                                                                            • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExistsFilePath
                                                                                                                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                            • API String ID: 1174141254-1980882731
                                                                                                                            • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                                                                                                            • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                            • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                                                                                                            • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                            Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                            • wsprintfW.USER32 ref: 0040B22E
                                                                                                                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EventLocalTimewsprintf
                                                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                            • API String ID: 1497725170-1359877963
                                                                                                                            • Opcode ID: cedf099e6615bd9a092f6b8995edb8f7d80ba2e9813d3b68b1af5a24ede0ef5f
                                                                                                                            • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                            • Opcode Fuzzy Hash: cedf099e6615bd9a092f6b8995edb8f7d80ba2e9813d3b68b1af5a24ede0ef5f
                                                                                                                            • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                            Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                            • String ID: Online Keylogger Started
                                                                                                                            • API String ID: 112202259-1258561607
                                                                                                                            • Opcode ID: e20a708062e3c4a10d270ca0973e9cd7c7078ea5d17649bafb033c4f5aa5563c
                                                                                                                            • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                            • Opcode Fuzzy Hash: e20a708062e3c4a10d270ca0973e9cd7c7078ea5d17649bafb033c4f5aa5563c
                                                                                                                            • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                            Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: CryptUnprotectData$crypt32
                                                                                                                            • API String ID: 2574300362-2380590389
                                                                                                                            • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                            • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                                                            • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                            • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                                                            Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                            • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                                            • String ID: Connection Timeout
                                                                                                                            • API String ID: 2055531096-499159329
                                                                                                                            • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                                                                                                            • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                                                            • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                                                                                                            • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                                                            Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throw
                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                            • API String ID: 2005118841-1866435925
                                                                                                                            • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                            • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                            • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                            • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                            Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                                                                            • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                                                                                                            • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateValue
                                                                                                                            • String ID: pth_unenc
                                                                                                                            • API String ID: 1818849710-4028850238
                                                                                                                            • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                                                                                                            • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                            • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                                                                                                            • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                            Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                              • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                              • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                            • String ID: bad locale name
                                                                                                                            • API String ID: 3628047217-1405518554
                                                                                                                            • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                            • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                            • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                            • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                            Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                            • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                            • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                              • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                                                              • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                              • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                              • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                                                            • String ID: !D@
                                                                                                                            • API String ID: 186401046-604454484
                                                                                                                            • Opcode ID: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                                                                            • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                                                            • Opcode Fuzzy Hash: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                                                                            • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                                                            Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExecuteShell
                                                                                                                            • String ID: /C $cmd.exe$open
                                                                                                                            • API String ID: 587946157-3896048727
                                                                                                                            • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                                                                                                            • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                            • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                                                                                                            • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                            Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteDirectoryFileRemove
                                                                                                                            • String ID: pth_unenc$xdF
                                                                                                                            • API String ID: 3325800564-2448381268
                                                                                                                            • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                                                                                                            • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                                                            • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                                                                                                            • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                                                            Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                                                            • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                            • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: TerminateThread$HookUnhookWindows
                                                                                                                            • String ID: pth_unenc
                                                                                                                            • API String ID: 3123878439-4028850238
                                                                                                                            • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                            • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                                                            • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                            • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                                                            Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1036877536-0
                                                                                                                            • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                            • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                            • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                            • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                            Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                            • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                            • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                            • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                            Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                            • __freea.LIBCMT ref: 100087D5
                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2652629310-0
                                                                                                                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                            Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                            • API String ID: 3472027048-1236744412
                                                                                                                            • Opcode ID: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                                                                                                            • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                                                            • Opcode Fuzzy Hash: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                                                                                                            • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                                                            Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                                                                              • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                                              • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQuerySleepValue
                                                                                                                            • String ID: 8SG$exepath$xdF
                                                                                                                            • API String ID: 4119054056-3578471011
                                                                                                                            • Opcode ID: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                                                                                                            • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                                                                                                            • Opcode Fuzzy Hash: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                                                                                                            • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                                                                                                            Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                                                              • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                              • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                                                            • String ID: [ $ ]
                                                                                                                            • API String ID: 3309952895-93608704
                                                                                                                            • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                            • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                            • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                            • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                            Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 188215759-0
                                                                                                                            • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                                                            • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                                                                                            • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                                                            • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                                                                                            Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                            • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                            • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                            • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                            Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                            • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                            • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                            • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                            Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3177248105-0
                                                                                                                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                            Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                            • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3177248105-0
                                                                                                                            • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                            • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                            • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                            • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                            Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                              • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2633735394-0
                                                                                                                            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                            • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                            • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                            Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MetricsSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4116985748-0
                                                                                                                            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                            • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                            • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                            Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                              • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1761009282-0
                                                                                                                            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                            • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                            • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                            Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                            • String ID: pow
                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                            • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                            • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                            • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                            • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                            Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                                                                                                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,004EAAB8,00000010), ref: 004048E0
                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: GdiplusStartupconnectsend
                                                                                                                            • String ID: ,aF$NG
                                                                                                                            • API String ID: 1957403310-2168067942
                                                                                                                            • Opcode ID: ec0f3f0b52c3c08ac022e00a6e201670c4e953023af3dbe194b28e511b80340f
                                                                                                                            • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                                                                                                            • Opcode Fuzzy Hash: ec0f3f0b52c3c08ac022e00a6e201670c4e953023af3dbe194b28e511b80340f
                                                                                                                            • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                                                                                                            Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                                                                                              • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                                                              • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                              • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                            • String ID: image/jpeg
                                                                                                                            • API String ID: 1291196975-3785015651
                                                                                                                            • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                                                                                                            • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                                                                                            • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                                                                                                            • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                                                                                            Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ACP$OCP
                                                                                                                            • API String ID: 0-711371036
                                                                                                                            • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                            • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                            • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                            • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                            Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                                                                                              • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                                                                                              • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                              • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                            • String ID: image/png
                                                                                                                            • API String ID: 1291196975-2966254431
                                                                                                                            • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                                                                                                            • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                                                                                            • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                                                                                                            • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                                                                                            Function 00449C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00449CBC
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00449CCE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleType
                                                                                                                            • String ID: zM
                                                                                                                            • API String ID: 3000768030-965490893
                                                                                                                            • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                                                                            • Instruction ID: 0971e15b3ed75ae4f19990cc7af9cd82d4526e04a272429d5fd5d939a02a2197
                                                                                                                            • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                                                                            • Instruction Fuzzy Hash: EF11907250475246E7308F3E9CC8223BAD5AB52331B38072BD5B7966F1C328DC82F249
                                                                                                                            Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                            Strings
                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LocalTime
                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                            • API String ID: 481472006-1507639952
                                                                                                                            • Opcode ID: 5c078b1748fe96925083d4d0896d4d3d74a40d37dad05757226fa66a353f2b3f
                                                                                                                            • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                                                            • Opcode Fuzzy Hash: 5c078b1748fe96925083d4d0896d4d3d74a40d37dad05757226fa66a353f2b3f
                                                                                                                            • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                                                            Function 0043C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: zM
                                                                                                                            • API String ID: 269201875-965490893
                                                                                                                            • Opcode ID: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                                                                                                            • Instruction ID: 50f29c45267cc5de65db45c76c11a9fc4df43ae0f191c64cb21c29ff245d41fa
                                                                                                                            • Opcode Fuzzy Hash: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                                                                                                            • Instruction Fuzzy Hash: 9011D371A002004AEF309F39AC81B563294A714734F15172BF929EA3D6D3BCD8825F89
                                                                                                                            Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32 ref: 0041667B
                                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DownloadFileSleep
                                                                                                                            • String ID: !D@
                                                                                                                            • API String ID: 1931167962-604454484
                                                                                                                            • Opcode ID: 5b7b87e8a68fb431a14e17965f4bf7bbd1f5df4729a5e9b7e94d56e070877910
                                                                                                                            • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                                                            • Opcode Fuzzy Hash: 5b7b87e8a68fb431a14e17965f4bf7bbd1f5df4729a5e9b7e94d56e070877910
                                                                                                                            • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                            Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strlen
                                                                                                                            • String ID: : $Se.
                                                                                                                            • API String ID: 4218353326-4089948878
                                                                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                            Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LocalTime
                                                                                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                            • API String ID: 481472006-2430845779
                                                                                                                            • Opcode ID: c927f4a608eef753f63703b0d0e9785d29b3249c94bd18eb8f03f8013fa13d21
                                                                                                                            • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                                                            • Opcode Fuzzy Hash: c927f4a608eef753f63703b0d0e9785d29b3249c94bd18eb8f03f8013fa13d21
                                                                                                                            • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                                                            Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExistsFilePath
                                                                                                                            • String ID: alarm.wav$hYG
                                                                                                                            • API String ID: 1174141254-2782910960
                                                                                                                            • Opcode ID: a9a76ea0fc0e8a0f3d7aff788bb633477541aaef736bb4e20f77f16a159910d3
                                                                                                                            • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                                                            • Opcode Fuzzy Hash: a9a76ea0fc0e8a0f3d7aff788bb633477541aaef736bb4e20f77f16a159910d3
                                                                                                                            • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                                                            Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                            • String ID: Online Keylogger Stopped
                                                                                                                            • API String ID: 1623830855-1496645233
                                                                                                                            • Opcode ID: e59960541e5cf74fa5fdf58772aa3d94512dd3e776d5b00d11ad6684ff61bd0c
                                                                                                                            • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                            • Opcode Fuzzy Hash: e59960541e5cf74fa5fdf58772aa3d94512dd3e776d5b00d11ad6684ff61bd0c
                                                                                                                            • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                            Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4198476554.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4198460689.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4198476554.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                            • String ID: Unknown exception
                                                                                                                            • API String ID: 3476068407-410509341
                                                                                                                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                            Function 00449ADC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                            • DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                                                                                                            • _free.LIBCMT ref: 00449B4C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$DeleteEnter_free
                                                                                                                            • String ID: zM
                                                                                                                            • API String ID: 1836352639-965490893
                                                                                                                            • Opcode ID: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                                                                                                            • Instruction ID: 49f98359192604db3700e7d46e2ee0879056decf89b11c46129577f8840becb7
                                                                                                                            • Opcode Fuzzy Hash: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                                                                                                            • Instruction Fuzzy Hash: C3115E31500214DFEB20DFA8E846B5D73B0FB04724F10455AE8599B2E6CBBCEC429B0D
                                                                                                                            Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • waveInPrepareHeader.WINMM(004CF9C0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                                                                            • waveInAddBuffer.WINMM(004CF9C0,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                                                            • String ID: XMG
                                                                                                                            • API String ID: 2315374483-813777761
                                                                                                                            • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                                                            • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                                                            Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: $G
                                                                                                                            • API String ID: 269201875-4251033865
                                                                                                                            • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                                                                            • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                                                                                                            • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                                                                            • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                                                                                                            Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: LocaleValid
                                                                                                                            • String ID: IsValidLocaleName$kKD
                                                                                                                            • API String ID: 1901932003-3269126172
                                                                                                                            • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                                                            • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                            • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                                                            • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                            Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExistsFilePath
                                                                                                                            • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                            • API String ID: 1174141254-4188645398
                                                                                                                            • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                                                                                                            • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                            • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                                                                                                            • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                            Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExistsFilePath
                                                                                                                            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                            • API String ID: 1174141254-2800177040
                                                                                                                            • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                                                                                                            • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                            • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                                                                                                            • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                            Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExistsFilePath
                                                                                                                            • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                            • API String ID: 1174141254-1629609700
                                                                                                                            • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                                                                                                            • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                            • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                                                                                                            • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                            Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free
                                                                                                                            • String ID: $G
                                                                                                                            • API String ID: 269201875-4251033865
                                                                                                                            • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                            • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                                                                            • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                            • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                                                                            Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                              • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                                                                                              • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                              • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                              • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                              • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                                                                                              • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                              • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                            • String ID: [AltL]$[AltR]
                                                                                                                            • API String ID: 2738857842-2658077756
                                                                                                                            • Opcode ID: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                                                                                                            • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                            • Opcode Fuzzy Hash: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                                                                                                            • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                            Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExecuteShell
                                                                                                                            • String ID: !D@$open
                                                                                                                            • API String ID: 587946157-1586967515
                                                                                                                            • Opcode ID: 362c1c5fd20623688fdc3d2448c9f4f4186b82f57ee2e05463dad5c5776c9df8
                                                                                                                            • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                            • Opcode Fuzzy Hash: 362c1c5fd20623688fdc3d2448c9f4f4186b82f57ee2e05463dad5c5776c9df8
                                                                                                                            • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                            Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: State
                                                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                                                            • API String ID: 1649606143-2446555240
                                                                                                                            • Opcode ID: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                                                                                                            • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                            • Opcode Fuzzy Hash: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                                                                                                            • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                            Function 0043C218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00449ADC: DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                                                                                                              • Part of subcall function 00449ADC: _free.LIBCMT ref: 00449B4C
                                                                                                                              • Part of subcall function 00449B7C: _free.LIBCMT ref: 00449B9E
                                                                                                                            • DeleteCriticalSection.KERNEL32(004D7AC0), ref: 0043C241
                                                                                                                            • _free.LIBCMT ref: 0043C255
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$CriticalDeleteSection
                                                                                                                            • String ID: zM
                                                                                                                            • API String ID: 1906768660-965490893
                                                                                                                            • Opcode ID: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                                                                                                            • Instruction ID: 53b3c8965ed62865b06495ab0c988fe80dbb580c75aaeb32feec7d00177b517a
                                                                                                                            • Opcode Fuzzy Hash: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                                                                                                            • Instruction Fuzzy Hash: F8E04F328145208FEB71BB69FD4595A73E4EB4D325B12086FF80DA3165CAADAC809B4D
                                                                                                                            Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Init_thread_footer__onexit
                                                                                                                            • String ID: ,kG$0kG
                                                                                                                            • API String ID: 1881088180-2015055088
                                                                                                                            • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                                                                                                            • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                                                            • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                                                                                                            • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                                                            Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                                                                                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                                                                            Strings
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteOpenValue
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                            • API String ID: 2654517830-1051519024
                                                                                                                            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                            • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                            • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                            Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectProcessSingleTerminateWait
                                                                                                                            • String ID: pth_unenc
                                                                                                                            • API String ID: 1872346434-4028850238
                                                                                                                            • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                                                            • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                                                                            • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                                                            • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                                                                            Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                                                            • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1717984340-0
                                                                                                                            • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                            • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                            • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                            • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                            Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                            • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                                                            • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.4197473278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.4197457534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197510828.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197531750.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.4197560149.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4100373531-0
                                                                                                                            • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                            • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                            • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                            • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:6.2%
                                                                                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                            Signature Coverage:2.1%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:66
                                                                                                                            execution_graph 37500 44dea5 37501 44deb5 FreeLibrary 37500->37501 37502 44dec3 37500->37502 37501->37502 37503 4287c1 37504 4287d2 37503->37504 37505 429ac1 37503->37505 37507 428818 37504->37507 37508 42881f 37504->37508 37523 425711 37504->37523 37517 425ad6 37505->37517 37573 415c56 11 API calls 37505->37573 37540 42013a 37507->37540 37568 420244 97 API calls 37508->37568 37511 4260dd 37567 424251 120 API calls 37511->37567 37515 4259da 37566 416760 11 API calls 37515->37566 37520 429a4d 37521 429a66 37520->37521 37522 429a9b 37520->37522 37569 415c56 11 API calls 37521->37569 37535 429a96 37522->37535 37571 416760 11 API calls 37522->37571 37523->37505 37523->37515 37523->37520 37524 422aeb memset memcpy memcpy 37523->37524 37527 4260a1 37523->37527 37536 4259c2 37523->37536 37539 425a38 37523->37539 37556 4227f0 memset memcpy 37523->37556 37557 422b84 15 API calls 37523->37557 37558 422b5d memset memcpy memcpy 37523->37558 37559 422640 13 API calls 37523->37559 37561 4241fc 11 API calls 37523->37561 37562 42413a 90 API calls 37523->37562 37524->37523 37565 415c56 11 API calls 37527->37565 37530 429a7a 37570 416760 11 API calls 37530->37570 37572 424251 120 API calls 37535->37572 37536->37517 37560 415c56 11 API calls 37536->37560 37539->37536 37563 422640 13 API calls 37539->37563 37564 4226e0 12 API calls 37539->37564 37541 42014c 37540->37541 37544 420151 37540->37544 37583 41e466 97 API calls 37541->37583 37543 420162 37543->37523 37544->37543 37545 4201b3 37544->37545 37546 420229 37544->37546 37547 4201b8 37545->37547 37548 4201dc 37545->37548 37546->37543 37549 41fd5e 86 API calls 37546->37549 37574 41fbdb 37547->37574 37548->37543 37552 4201ff 37548->37552 37580 41fc4c 37548->37580 37549->37543 37552->37543 37555 42013a 97 API calls 37552->37555 37555->37543 37556->37523 37557->37523 37558->37523 37559->37523 37560->37515 37561->37523 37562->37523 37563->37539 37564->37539 37565->37515 37566->37511 37567->37517 37568->37523 37569->37530 37570->37535 37571->37535 37572->37505 37573->37515 37575 41fbf1 37574->37575 37576 41fbf8 37574->37576 37579 41fc39 37575->37579 37598 4446ce 11 API calls 37575->37598 37588 41ee26 37576->37588 37579->37543 37584 41fd5e 37579->37584 37581 41ee6b 86 API calls 37580->37581 37582 41fc5d 37581->37582 37582->37548 37583->37544 37586 41fd65 37584->37586 37585 41fdab 37585->37543 37586->37585 37587 41fbdb 86 API calls 37586->37587 37587->37586 37589 41ee41 37588->37589 37590 41ee32 37588->37590 37599 41edad 37589->37599 37602 4446ce 11 API calls 37590->37602 37593 41ee3c 37593->37575 37596 41ee58 37596->37593 37604 41ee6b 37596->37604 37598->37579 37608 41be52 37599->37608 37602->37593 37603 41eb85 11 API calls 37603->37596 37605 41ee70 37604->37605 37606 41ee78 37604->37606 37664 41bf99 86 API calls 37605->37664 37606->37593 37609 41be6f 37608->37609 37610 41be5f 37608->37610 37614 41be8c 37609->37614 37629 418c63 37609->37629 37643 4446ce 11 API calls 37610->37643 37613 41be69 37613->37593 37613->37603 37614->37613 37616 41bf3a 37614->37616 37617 41bed1 37614->37617 37625 41bee7 37614->37625 37646 4446ce 11 API calls 37616->37646 37619 41bef0 37617->37619 37621 41bee2 37617->37621 37620 41bf01 37619->37620 37619->37625 37622 41bf24 memset 37620->37622 37624 41bf14 37620->37624 37644 418a6d memset memcpy memset 37620->37644 37633 41ac13 37621->37633 37622->37613 37645 41a223 memset memcpy memset 37624->37645 37625->37613 37647 41a453 86 API calls 37625->37647 37628 41bf20 37628->37622 37632 418c72 37629->37632 37630 418c94 37630->37614 37631 418d51 memset memset 37631->37630 37632->37630 37632->37631 37634 41ac52 37633->37634 37635 41ac3f memset 37633->37635 37637 41ac6a 37634->37637 37648 41dc14 19 API calls 37634->37648 37639 41acd9 37635->37639 37640 41aca1 37637->37640 37649 41519d 37637->37649 37639->37625 37640->37639 37641 41acc0 memset 37640->37641 37642 41accd memcpy 37640->37642 37641->37639 37642->37639 37643->37613 37644->37624 37645->37628 37646->37625 37648->37637 37652 4175ed 37649->37652 37660 417570 SetFilePointer 37652->37660 37655 41760a ReadFile 37656 417637 37655->37656 37657 417627 GetLastError 37655->37657 37658 4151b3 37656->37658 37659 41763e memset 37656->37659 37657->37658 37658->37640 37659->37658 37661 41759c GetLastError 37660->37661 37663 4175b2 37660->37663 37662 4175a8 GetLastError 37661->37662 37661->37663 37662->37663 37663->37655 37663->37658 37664->37606 37665 417bc5 37666 417c61 37665->37666 37671 417bda 37665->37671 37667 417bf6 UnmapViewOfFile CloseHandle 37667->37667 37667->37671 37669 417c2c 37669->37671 37677 41851e 20 API calls 37669->37677 37671->37666 37671->37667 37671->37669 37672 4175b7 37671->37672 37673 4175d6 CloseHandle 37672->37673 37674 4175c8 37673->37674 37675 4175df 37673->37675 37674->37675 37676 4175ce Sleep 37674->37676 37675->37671 37676->37673 37677->37669 37678 4152c7 malloc 37679 4152ef 37678->37679 37681 4152e2 37678->37681 37682 416760 11 API calls 37679->37682 37682->37681 37683 415308 free 37684 41276d 37685 41277d 37684->37685 37727 4044a4 LoadLibraryW 37685->37727 37687 412785 37719 412789 37687->37719 37735 414b81 37687->37735 37690 4127c8 37741 412465 memset ??2@YAPAXI 37690->37741 37692 4127ea 37753 40ac21 37692->37753 37697 412813 37771 40dd07 memset 37697->37771 37698 412827 37776 40db69 memset 37698->37776 37701 412822 37797 4125b6 ??3@YAXPAX 37701->37797 37703 40ada2 _wcsicmp 37704 41283d 37703->37704 37704->37701 37707 412863 CoInitialize 37704->37707 37781 41268e 37704->37781 37801 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37707->37801 37711 41296f 37803 40b633 37711->37803 37713 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37718 412957 CoUninitialize 37713->37718 37724 4128ca 37713->37724 37718->37701 37720 4128d0 TranslateAcceleratorW 37721 412941 GetMessageW 37720->37721 37720->37724 37721->37718 37721->37720 37722 412909 IsDialogMessageW 37722->37721 37722->37724 37723 4128fd IsDialogMessageW 37723->37721 37723->37722 37724->37720 37724->37722 37724->37723 37725 41292b TranslateMessage DispatchMessageW 37724->37725 37726 41291f IsDialogMessageW 37724->37726 37725->37721 37726->37721 37726->37725 37728 4044cf GetProcAddress 37727->37728 37732 4044f7 37727->37732 37729 4044e8 FreeLibrary 37728->37729 37730 4044df 37728->37730 37731 4044f3 37729->37731 37729->37732 37730->37729 37731->37732 37733 404507 MessageBoxW 37732->37733 37734 40451e 37732->37734 37733->37687 37734->37687 37736 414b8a 37735->37736 37737 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37735->37737 37807 40a804 memset 37736->37807 37737->37690 37740 414b9e GetProcAddress 37740->37737 37742 4124e0 37741->37742 37743 412505 ??2@YAPAXI 37742->37743 37744 41251c 37743->37744 37746 412521 37743->37746 37829 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37744->37829 37818 444722 37746->37818 37752 41259b wcscpy 37752->37692 37834 40b1ab free free 37753->37834 37755 40ad76 37835 40aa04 37755->37835 37758 40a9ce malloc memcpy free free 37761 40ac5c 37758->37761 37759 40ad4b 37759->37755 37858 40a9ce 37759->37858 37761->37755 37761->37758 37761->37759 37762 40ace7 free 37761->37762 37838 40a8d0 37761->37838 37850 4099f4 37761->37850 37762->37761 37766 40a8d0 7 API calls 37766->37755 37767 40ada2 37768 40adc9 37767->37768 37769 40adaa 37767->37769 37768->37697 37768->37698 37769->37768 37770 40adb3 _wcsicmp 37769->37770 37770->37768 37770->37769 37863 40dce0 37771->37863 37773 40dd3a GetModuleHandleW 37868 40dba7 37773->37868 37777 40dce0 3 API calls 37776->37777 37778 40db99 37777->37778 37940 40dae1 37778->37940 37954 402f3a 37781->37954 37783 412766 37783->37701 37783->37707 37784 4126d3 _wcsicmp 37785 4126a8 37784->37785 37785->37783 37785->37784 37787 41270a 37785->37787 37988 4125f8 7 API calls 37785->37988 37787->37783 37957 411ac5 37787->37957 37798 4125da 37797->37798 37799 4125f0 37798->37799 37800 4125e6 DeleteObject 37798->37800 37802 40b1ab free free 37799->37802 37800->37799 37801->37713 37802->37711 37804 40b640 37803->37804 37805 40b639 free 37803->37805 37806 40b1ab free free 37804->37806 37805->37804 37806->37719 37808 40a83b GetSystemDirectoryW 37807->37808 37809 40a84c wcscpy 37807->37809 37808->37809 37814 409719 wcslen 37809->37814 37812 40a881 LoadLibraryW 37813 40a886 37812->37813 37813->37737 37813->37740 37815 409724 37814->37815 37816 409739 wcscat LoadLibraryW 37814->37816 37815->37816 37817 40972c wcscat 37815->37817 37816->37812 37816->37813 37817->37816 37819 444732 37818->37819 37820 444728 DeleteObject 37818->37820 37830 409cc3 37819->37830 37820->37819 37822 412551 37823 4010f9 37822->37823 37824 401130 37823->37824 37825 401134 GetModuleHandleW LoadIconW 37824->37825 37826 401107 wcsncat 37824->37826 37827 40a7be 37825->37827 37826->37824 37828 40a7d2 37827->37828 37828->37752 37828->37828 37829->37746 37833 409bfd memset wcscpy 37830->37833 37832 409cdb CreateFontIndirectW 37832->37822 37833->37832 37834->37761 37836 40aa14 37835->37836 37837 40aa0a free 37835->37837 37836->37767 37837->37836 37839 40a8eb 37838->37839 37840 40a8df wcslen 37838->37840 37841 40a906 free 37839->37841 37842 40a90f 37839->37842 37840->37839 37843 40a919 37841->37843 37844 4099f4 3 API calls 37842->37844 37845 40a932 37843->37845 37846 40a929 free 37843->37846 37844->37843 37848 4099f4 3 API calls 37845->37848 37847 40a93e memcpy 37846->37847 37847->37761 37849 40a93d 37848->37849 37849->37847 37851 409a41 37850->37851 37852 4099fb malloc 37850->37852 37851->37761 37854 409a37 37852->37854 37855 409a1c 37852->37855 37854->37761 37856 409a30 free 37855->37856 37857 409a20 memcpy 37855->37857 37856->37854 37857->37856 37859 40a9e7 37858->37859 37860 40a9dc free 37858->37860 37862 4099f4 3 API calls 37859->37862 37861 40a9f2 37860->37861 37861->37766 37862->37861 37887 409bca GetModuleFileNameW 37863->37887 37865 40dce6 wcsrchr 37866 40dcf5 37865->37866 37867 40dcf9 wcscat 37865->37867 37866->37867 37867->37773 37888 44db70 37868->37888 37872 40dbfd 37891 4447d9 37872->37891 37875 40dc34 wcscpy wcscpy 37917 40d6f5 37875->37917 37876 40dc1f wcscpy 37876->37875 37879 40d6f5 3 API calls 37880 40dc73 37879->37880 37881 40d6f5 3 API calls 37880->37881 37882 40dc89 37881->37882 37883 40d6f5 3 API calls 37882->37883 37884 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37883->37884 37923 40da80 37884->37923 37887->37865 37889 40dbb4 memset memset 37888->37889 37890 409bca GetModuleFileNameW 37889->37890 37890->37872 37893 4447f4 37891->37893 37892 40dc1b 37892->37875 37892->37876 37893->37892 37894 444807 ??2@YAPAXI 37893->37894 37895 44481f 37894->37895 37896 444873 _snwprintf 37895->37896 37897 4448ab wcscpy 37895->37897 37930 44474a 8 API calls 37896->37930 37899 4448bb 37897->37899 37931 44474a 8 API calls 37899->37931 37900 4448a7 37900->37897 37900->37899 37902 4448cd 37932 44474a 8 API calls 37902->37932 37904 4448e2 37933 44474a 8 API calls 37904->37933 37906 4448f7 37934 44474a 8 API calls 37906->37934 37908 44490c 37935 44474a 8 API calls 37908->37935 37910 444921 37936 44474a 8 API calls 37910->37936 37912 444936 37937 44474a 8 API calls 37912->37937 37914 44494b 37938 44474a 8 API calls 37914->37938 37916 444960 ??3@YAXPAX 37916->37892 37918 44db70 37917->37918 37919 40d702 memset GetPrivateProfileStringW 37918->37919 37920 40d752 37919->37920 37921 40d75c WritePrivateProfileStringW 37919->37921 37920->37921 37922 40d758 37920->37922 37921->37922 37922->37879 37924 44db70 37923->37924 37925 40da8d memset 37924->37925 37926 40daac LoadStringW 37925->37926 37927 40dac6 37926->37927 37927->37926 37929 40dade 37927->37929 37939 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37927->37939 37929->37701 37930->37900 37931->37902 37932->37904 37933->37906 37934->37908 37935->37910 37936->37912 37937->37914 37938->37916 37939->37927 37950 409b98 GetFileAttributesW 37940->37950 37942 40daea 37943 40db63 37942->37943 37944 40daef wcscpy wcscpy GetPrivateProfileIntW 37942->37944 37943->37703 37951 40d65d GetPrivateProfileStringW 37944->37951 37946 40db3e 37952 40d65d GetPrivateProfileStringW 37946->37952 37948 40db4f 37953 40d65d GetPrivateProfileStringW 37948->37953 37950->37942 37951->37946 37952->37948 37953->37943 37989 40eaff 37954->37989 37958 411ae2 memset 37957->37958 37959 411b8f 37957->37959 38029 409bca GetModuleFileNameW 37958->38029 37971 411a8b 37959->37971 37961 411b0a wcsrchr 37962 411b22 wcscat 37961->37962 37963 411b1f 37961->37963 38030 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37962->38030 37963->37962 37965 411b67 38031 402afb 37965->38031 37969 411b7f 38087 40ea13 SendMessageW memset SendMessageW 37969->38087 37972 402afb 27 API calls 37971->37972 37973 411ac0 37972->37973 37974 4110dc 37973->37974 37975 41113e 37974->37975 37980 4110f0 37974->37980 38112 40969c LoadCursorW SetCursor 37975->38112 37977 411143 38113 4032b4 37977->38113 38131 444a54 37977->38131 37978 4110f7 _wcsicmp 37978->37980 37979 411157 37981 40ada2 _wcsicmp 37979->37981 37980->37975 37980->37978 38134 410c46 10 API calls 37980->38134 37984 411167 37981->37984 37982 4111af 37984->37982 37985 4111a6 qsort 37984->37985 37985->37982 37988->37785 37990 40eb10 37989->37990 38002 40e8e0 37990->38002 37993 40eb6c memcpy memcpy 37994 40ebb7 37993->37994 37994->37993 37995 40ebf2 ??2@YAPAXI ??2@YAPAXI 37994->37995 37997 40d134 16 API calls 37994->37997 37996 40ec2e ??2@YAPAXI 37995->37996 38000 40ec65 37995->38000 37996->38000 37997->37994 38000->38000 38012 40ea7f 38000->38012 38001 402f49 38001->37785 38003 40e8f2 38002->38003 38004 40e8eb ??3@YAXPAX 38002->38004 38005 40e900 38003->38005 38006 40e8f9 ??3@YAXPAX 38003->38006 38004->38003 38007 40e911 38005->38007 38008 40e90a ??3@YAXPAX 38005->38008 38006->38005 38009 40e931 ??2@YAPAXI ??2@YAPAXI 38007->38009 38010 40e921 ??3@YAXPAX 38007->38010 38011 40e92a ??3@YAXPAX 38007->38011 38008->38007 38009->37993 38010->38011 38011->38009 38013 40aa04 free 38012->38013 38014 40ea88 38013->38014 38015 40aa04 free 38014->38015 38016 40ea90 38015->38016 38017 40aa04 free 38016->38017 38018 40ea98 38017->38018 38019 40aa04 free 38018->38019 38020 40eaa0 38019->38020 38021 40a9ce 4 API calls 38020->38021 38022 40eab3 38021->38022 38023 40a9ce 4 API calls 38022->38023 38024 40eabd 38023->38024 38025 40a9ce 4 API calls 38024->38025 38026 40eac7 38025->38026 38027 40a9ce 4 API calls 38026->38027 38028 40ead1 38027->38028 38028->38001 38029->37961 38030->37965 38088 40b2cc 38031->38088 38033 402b0a 38034 40b2cc 27 API calls 38033->38034 38035 402b23 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402b3a 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402b54 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402b6b 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402b82 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402b99 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402bb0 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402bc7 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402bde 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402bf5 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402c0c 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402c23 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402c3a 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402c51 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402c68 38062->38063 38064 40b2cc 27 API calls 38063->38064 38065 402c7f 38064->38065 38066 40b2cc 27 API calls 38065->38066 38067 402c99 38066->38067 38068 40b2cc 27 API calls 38067->38068 38069 402cb3 38068->38069 38070 40b2cc 27 API calls 38069->38070 38071 402cd5 38070->38071 38072 40b2cc 27 API calls 38071->38072 38073 402cf0 38072->38073 38074 40b2cc 27 API calls 38073->38074 38075 402d0b 38074->38075 38076 40b2cc 27 API calls 38075->38076 38077 402d26 38076->38077 38078 40b2cc 27 API calls 38077->38078 38079 402d3e 38078->38079 38080 40b2cc 27 API calls 38079->38080 38081 402d59 38080->38081 38082 40b2cc 27 API calls 38081->38082 38083 402d78 38082->38083 38084 40b2cc 27 API calls 38083->38084 38085 402d93 38084->38085 38086 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38085->38086 38086->37969 38087->37959 38091 40b58d 38088->38091 38090 40b2d1 38090->38033 38092 40b5a4 GetModuleHandleW FindResourceW 38091->38092 38093 40b62e 38091->38093 38094 40b5c2 LoadResource 38092->38094 38096 40b5e7 38092->38096 38093->38090 38095 40b5d0 SizeofResource LockResource 38094->38095 38094->38096 38095->38096 38096->38093 38104 40afcf 38096->38104 38098 40b608 memcpy 38107 40b4d3 memcpy 38098->38107 38100 40b61e 38108 40b3c1 18 API calls 38100->38108 38102 40b626 38109 40b04b 38102->38109 38105 40b04b ??3@YAXPAX 38104->38105 38106 40afd7 ??2@YAPAXI 38105->38106 38106->38098 38107->38100 38108->38102 38110 40b051 ??3@YAXPAX 38109->38110 38111 40b05f 38109->38111 38110->38111 38111->38093 38112->37977 38114 4032c4 38113->38114 38115 40b633 free 38114->38115 38116 403316 38115->38116 38135 44553b 38116->38135 38120 403480 38333 40368c 15 API calls 38120->38333 38122 403489 38123 40b633 free 38122->38123 38124 403495 38123->38124 38124->37979 38125 4033a9 memset memcpy 38126 4033ec wcscmp 38125->38126 38127 40333c 38125->38127 38126->38127 38127->38120 38127->38125 38127->38126 38331 4028e7 11 API calls 38127->38331 38332 40f508 6 API calls 38127->38332 38129 403421 _wcsicmp 38129->38127 38132 444a64 FreeLibrary 38131->38132 38133 444a83 38131->38133 38132->38133 38133->37979 38134->37980 38136 445548 38135->38136 38137 445599 38136->38137 38334 40c768 38136->38334 38138 4455a8 memset 38137->38138 38150 4457f2 38137->38150 38417 403988 38138->38417 38145 4458aa 38147 44594a 38145->38147 38148 4458bb memset memset 38145->38148 38146 445672 38428 403fbe memset memset memset memset memset 38146->38428 38152 4459ed 38147->38152 38153 44595e memset memset 38147->38153 38155 414c2e 17 API calls 38148->38155 38157 445854 38150->38157 38519 403e2d memset memset memset memset memset 38150->38519 38160 445a00 memset memset 38152->38160 38161 445b22 38152->38161 38162 414c2e 17 API calls 38153->38162 38154 4455e5 38154->38146 38165 44560f 38154->38165 38163 4458f9 38155->38163 38156 44557a 38158 44558c 38156->38158 38615 4136c0 CoTaskMemFree 38156->38615 38157->38145 38542 403c9c memset memset memset memset memset 38157->38542 38401 444b06 38158->38401 38565 414c2e 38160->38565 38168 445bca 38161->38168 38169 445b38 memset memset memset 38161->38169 38173 44599c 38162->38173 38164 40b2cc 27 API calls 38163->38164 38174 445909 38164->38174 38176 4087b3 338 API calls 38165->38176 38167 445849 38631 40b1ab free free 38167->38631 38175 445c8b memset memset 38168->38175 38232 445cf0 38168->38232 38179 445bd4 38169->38179 38180 445b98 38169->38180 38183 40b2cc 27 API calls 38173->38183 38192 409d1f 6 API calls 38174->38192 38184 414c2e 17 API calls 38175->38184 38193 445621 38176->38193 38177 445585 38616 41366b FreeLibrary 38177->38616 38178 44589f 38632 40b1ab free free 38178->38632 38190 414c2e 17 API calls 38179->38190 38180->38179 38186 445ba2 38180->38186 38195 4459ac 38183->38195 38196 445cc9 38184->38196 38704 4099c6 wcslen 38186->38704 38187 4456b2 38619 40b1ab free free 38187->38619 38189 40b2cc 27 API calls 38199 445a4f 38189->38199 38201 445be2 38190->38201 38191 403335 38330 4452e5 45 API calls 38191->38330 38204 445919 38192->38204 38617 4454bf 20 API calls 38193->38617 38194 445823 38194->38167 38213 4087b3 338 API calls 38194->38213 38205 409d1f 6 API calls 38195->38205 38207 409d1f 6 API calls 38196->38207 38197 445879 38197->38178 38217 4087b3 338 API calls 38197->38217 38581 409d1f wcslen wcslen 38199->38581 38211 40b2cc 27 API calls 38201->38211 38202 445d3d 38230 40b2cc 27 API calls 38202->38230 38203 445d88 memset memset memset 38214 414c2e 17 API calls 38203->38214 38633 409b98 GetFileAttributesW 38204->38633 38206 4459bc 38205->38206 38700 409b98 GetFileAttributesW 38206->38700 38216 445ce1 38207->38216 38208 445bb3 38707 445403 memset 38208->38707 38209 445680 38209->38187 38451 4087b3 memset 38209->38451 38220 445bf3 38211->38220 38213->38194 38223 445dde 38214->38223 38724 409b98 GetFileAttributesW 38216->38724 38217->38197 38229 409d1f 6 API calls 38220->38229 38221 445928 38221->38147 38634 40b6ef 38221->38634 38231 40b2cc 27 API calls 38223->38231 38224 4459cb 38224->38152 38241 40b6ef 253 API calls 38224->38241 38228 40b2cc 27 API calls 38234 445a94 38228->38234 38236 445c07 38229->38236 38237 445d54 _wcsicmp 38230->38237 38240 445def 38231->38240 38232->38191 38232->38202 38232->38203 38233 445389 259 API calls 38233->38168 38586 40ae18 38234->38586 38235 44566d 38235->38150 38502 413d4c 38235->38502 38244 445389 259 API calls 38236->38244 38245 445d71 38237->38245 38307 445d67 38237->38307 38239 445665 38618 40b1ab free free 38239->38618 38246 409d1f 6 API calls 38240->38246 38241->38152 38249 445c17 38244->38249 38725 445093 23 API calls 38245->38725 38252 445e03 38246->38252 38248 4456d8 38254 40b2cc 27 API calls 38248->38254 38255 40b2cc 27 API calls 38249->38255 38251 44563c 38251->38239 38257 4087b3 338 API calls 38251->38257 38726 409b98 GetFileAttributesW 38252->38726 38253 40b6ef 253 API calls 38253->38191 38260 4456e2 38254->38260 38261 445c23 38255->38261 38256 445d83 38256->38191 38257->38251 38259 445e12 38265 445e6b 38259->38265 38269 40b2cc 27 API calls 38259->38269 38620 413fa6 _wcsicmp _wcsicmp 38260->38620 38264 409d1f 6 API calls 38261->38264 38267 445c37 38264->38267 38728 445093 23 API calls 38265->38728 38266 4456eb 38272 4456fd memset memset memset memset 38266->38272 38273 4457ea 38266->38273 38274 445389 259 API calls 38267->38274 38268 445b17 38701 40aebe 38268->38701 38276 445e33 38269->38276 38621 409c70 wcscpy wcsrchr 38272->38621 38624 413d29 38273->38624 38280 445c47 38274->38280 38281 409d1f 6 API calls 38276->38281 38278 445e7e 38282 445f67 38278->38282 38285 40b2cc 27 API calls 38280->38285 38286 445e47 38281->38286 38287 40b2cc 27 API calls 38282->38287 38283 445ab2 memset 38288 40b2cc 27 API calls 38283->38288 38290 445c53 38285->38290 38727 409b98 GetFileAttributesW 38286->38727 38292 445f73 38287->38292 38293 445aa1 38288->38293 38289 409c70 2 API calls 38294 44577e 38289->38294 38295 409d1f 6 API calls 38290->38295 38297 409d1f 6 API calls 38292->38297 38293->38268 38293->38283 38298 409d1f 6 API calls 38293->38298 38593 40add4 38293->38593 38598 445389 38293->38598 38607 40ae51 38293->38607 38299 409c70 2 API calls 38294->38299 38300 445c67 38295->38300 38296 445e56 38296->38265 38304 445e83 memset 38296->38304 38301 445f87 38297->38301 38298->38293 38302 44578d 38299->38302 38303 445389 259 API calls 38300->38303 38731 409b98 GetFileAttributesW 38301->38731 38302->38273 38309 40b2cc 27 API calls 38302->38309 38303->38168 38308 40b2cc 27 API calls 38304->38308 38307->38191 38307->38253 38311 445eab 38308->38311 38310 4457a8 38309->38310 38312 409d1f 6 API calls 38310->38312 38313 409d1f 6 API calls 38311->38313 38314 4457b8 38312->38314 38315 445ebf 38313->38315 38623 409b98 GetFileAttributesW 38314->38623 38317 40ae18 9 API calls 38315->38317 38325 445ef5 38317->38325 38318 4457c7 38318->38273 38320 4087b3 338 API calls 38318->38320 38319 40ae51 9 API calls 38319->38325 38320->38273 38321 445f5c 38322 40aebe FindClose 38321->38322 38322->38282 38323 40add4 2 API calls 38323->38325 38324 40b2cc 27 API calls 38324->38325 38325->38319 38325->38321 38325->38323 38325->38324 38326 409d1f 6 API calls 38325->38326 38328 445f3a 38325->38328 38729 409b98 GetFileAttributesW 38325->38729 38326->38325 38730 445093 23 API calls 38328->38730 38330->38127 38331->38129 38332->38127 38333->38122 38335 40c775 38334->38335 38732 40b1ab free free 38335->38732 38337 40c788 38733 40b1ab free free 38337->38733 38339 40c790 38734 40b1ab free free 38339->38734 38341 40c798 38342 40aa04 free 38341->38342 38343 40c7a0 38342->38343 38735 40c274 memset 38343->38735 38348 40a8ab 9 API calls 38349 40c7c3 38348->38349 38350 40a8ab 9 API calls 38349->38350 38351 40c7d0 38350->38351 38764 40c3c3 38351->38764 38355 40c877 38364 40bdb0 38355->38364 38356 40c86c 38806 4053fe 39 API calls 38356->38806 38362 40c7e5 38362->38355 38362->38356 38363 40c634 50 API calls 38362->38363 38789 40a706 38362->38789 38363->38362 39069 404363 38364->39069 38368 40bdee 38371 40b2cc 27 API calls 38368->38371 38373 40bf5d 38368->38373 38369 40bddf CredEnumerateW 38369->38368 38372 40be02 wcslen 38371->38372 38372->38373 38381 40be1e 38372->38381 39089 40440c 38373->39089 38374 40be26 wcsncmp 38374->38381 38377 40be7d memset 38378 40bea7 memcpy 38377->38378 38377->38381 38379 40bf11 wcschr 38378->38379 38378->38381 38379->38381 38380 40b2cc 27 API calls 38382 40bef6 _wcsnicmp 38380->38382 38381->38373 38381->38374 38381->38377 38381->38378 38381->38379 38381->38380 38383 40bf43 LocalFree 38381->38383 39092 40bd5d 28 API calls 38381->39092 39093 404423 38381->39093 38382->38379 38382->38381 38383->38381 38384 4135f7 39108 4135e0 38384->39108 38387 40b2cc 27 API calls 38388 41360d 38387->38388 38389 40a804 8 API calls 38388->38389 38390 413613 38389->38390 38391 41361b 38390->38391 38392 41363e 38390->38392 38393 40b273 27 API calls 38391->38393 38394 4135e0 FreeLibrary 38392->38394 38395 413625 GetProcAddress 38393->38395 38396 413643 38394->38396 38395->38392 38397 413648 38395->38397 38396->38156 38398 413658 38397->38398 38399 4135e0 FreeLibrary 38397->38399 38398->38156 38400 413666 38399->38400 38400->38156 39111 4449b9 38401->39111 38404 444c1f 38404->38137 38405 4449b9 42 API calls 38407 444b4b 38405->38407 38406 444c15 38409 4449b9 42 API calls 38406->38409 38407->38406 39132 444972 GetVersionExW 38407->39132 38409->38404 38410 444b99 memcmp 38415 444b8c 38410->38415 38411 444c0b 39136 444a85 42 API calls 38411->39136 38415->38410 38415->38411 39133 444aa5 42 API calls 38415->39133 39134 40a7a0 GetVersionExW 38415->39134 39135 444a85 42 API calls 38415->39135 38418 40399d 38417->38418 39137 403a16 38418->39137 38421 403a12 wcsrchr 38421->38154 38422 4039a3 38425 4039f4 38422->38425 38427 403a09 38422->38427 39148 40a02c CreateFileW 38422->39148 38426 4099c6 2 API calls 38425->38426 38425->38427 38426->38427 39151 40b1ab free free 38427->39151 38429 414c2e 17 API calls 38428->38429 38430 404048 38429->38430 38431 414c2e 17 API calls 38430->38431 38432 404056 38431->38432 38433 409d1f 6 API calls 38432->38433 38434 404073 38433->38434 38435 409d1f 6 API calls 38434->38435 38436 40408e 38435->38436 38437 409d1f 6 API calls 38436->38437 38438 4040a6 38437->38438 38439 403af5 20 API calls 38438->38439 38440 4040ba 38439->38440 38441 403af5 20 API calls 38440->38441 38442 4040cb 38441->38442 39178 40414f memset 38442->39178 38444 404140 39192 40b1ab free free 38444->39192 38446 4040ec memset 38449 4040e0 38446->38449 38447 404148 38447->38209 38448 4099c6 2 API calls 38448->38449 38449->38444 38449->38446 38449->38448 38450 40a8ab 9 API calls 38449->38450 38450->38449 39205 40a6e6 WideCharToMultiByte 38451->39205 38453 4087ed 39206 4095d9 memset 38453->39206 38456 408809 memset memset memset memset memset 38457 40b2cc 27 API calls 38456->38457 38458 4088a1 38457->38458 38459 409d1f 6 API calls 38458->38459 38460 4088b1 38459->38460 38461 40b2cc 27 API calls 38460->38461 38462 4088c0 38461->38462 38463 409d1f 6 API calls 38462->38463 38464 4088d0 38463->38464 38465 40b2cc 27 API calls 38464->38465 38466 4088df 38465->38466 38467 409d1f 6 API calls 38466->38467 38468 4088ef 38467->38468 38484 408953 38484->38209 38503 40b633 free 38502->38503 38504 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38503->38504 38505 413f00 Process32NextW 38504->38505 38506 413da5 OpenProcess 38505->38506 38507 413f17 CloseHandle 38505->38507 38508 413df3 memset 38506->38508 38511 413eb0 38506->38511 38507->38248 39631 413f27 38508->39631 38510 413ebf free 38510->38511 38511->38505 38511->38510 38512 4099f4 3 API calls 38511->38512 38512->38511 38513 413e37 GetModuleHandleW 38515 413e46 GetProcAddress 38513->38515 38516 413e1f 38513->38516 38515->38516 38516->38513 39636 413959 38516->39636 39652 413ca4 38516->39652 38518 413ea2 CloseHandle 38518->38511 38520 414c2e 17 API calls 38519->38520 38521 403eb7 38520->38521 38522 414c2e 17 API calls 38521->38522 38523 403ec5 38522->38523 38524 409d1f 6 API calls 38523->38524 38525 403ee2 38524->38525 38526 409d1f 6 API calls 38525->38526 38527 403efd 38526->38527 38528 409d1f 6 API calls 38527->38528 38529 403f15 38528->38529 38530 403af5 20 API calls 38529->38530 38531 403f29 38530->38531 38532 403af5 20 API calls 38531->38532 38533 403f3a 38532->38533 38534 40414f 33 API calls 38533->38534 38540 403f4f 38534->38540 38535 403faf 39666 40b1ab free free 38535->39666 38537 403f5b memset 38537->38540 38538 403fb7 38538->38194 38539 4099c6 2 API calls 38539->38540 38540->38535 38540->38537 38540->38539 38541 40a8ab 9 API calls 38540->38541 38541->38540 38543 414c2e 17 API calls 38542->38543 38544 403d26 38543->38544 38545 414c2e 17 API calls 38544->38545 38546 403d34 38545->38546 38547 409d1f 6 API calls 38546->38547 38548 403d51 38547->38548 38549 409d1f 6 API calls 38548->38549 38550 403d6c 38549->38550 38551 409d1f 6 API calls 38550->38551 38552 403d84 38551->38552 38553 403af5 20 API calls 38552->38553 38554 403d98 38553->38554 38555 403af5 20 API calls 38554->38555 38556 403da9 38555->38556 38557 40414f 33 API calls 38556->38557 38563 403dbe 38557->38563 38558 403e1e 39667 40b1ab free free 38558->39667 38560 403dca memset 38560->38563 38561 403e26 38561->38197 38562 4099c6 2 API calls 38562->38563 38563->38558 38563->38560 38563->38562 38564 40a8ab 9 API calls 38563->38564 38564->38563 38566 414b81 9 API calls 38565->38566 38567 414c40 38566->38567 38568 414c73 memset 38567->38568 39668 409cea 38567->39668 38570 414c94 38568->38570 39671 414592 RegOpenKeyExW 38570->39671 38572 414c64 SHGetSpecialFolderPathW 38575 414d0b 38572->38575 38573 414cc1 38576 414cf4 wcscpy 38573->38576 39672 414bb0 wcscpy 38573->39672 38575->38189 38576->38575 38578 414cd2 39673 4145ac RegQueryValueExW 38578->39673 38580 414ce9 RegCloseKey 38580->38576 38582 409d62 38581->38582 38583 409d43 wcscpy 38581->38583 38582->38228 38584 409719 2 API calls 38583->38584 38585 409d51 wcscat 38584->38585 38585->38582 38587 40aebe FindClose 38586->38587 38588 40ae21 38587->38588 38589 4099c6 2 API calls 38588->38589 38590 40ae35 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 40ae49 38591->38592 38592->38293 38594 40ade0 38593->38594 38595 40ae0f 38593->38595 38594->38595 38596 40ade7 wcscmp 38594->38596 38595->38293 38596->38595 38597 40adfe wcscmp 38596->38597 38597->38595 38599 40ae18 9 API calls 38598->38599 38601 4453c4 38599->38601 38600 40ae51 9 API calls 38600->38601 38601->38600 38602 4453f3 38601->38602 38603 40add4 2 API calls 38601->38603 38606 445403 254 API calls 38601->38606 38604 40aebe FindClose 38602->38604 38603->38601 38605 4453fe 38604->38605 38605->38293 38606->38601 38608 40ae7b FindNextFileW 38607->38608 38609 40ae5c FindFirstFileW 38607->38609 38610 40ae94 38608->38610 38611 40ae8f 38608->38611 38609->38610 38613 40aeb6 38610->38613 38614 409d1f 6 API calls 38610->38614 38612 40aebe FindClose 38611->38612 38612->38610 38613->38293 38614->38613 38615->38177 38616->38158 38617->38251 38618->38235 38619->38235 38620->38266 38622 409c89 38621->38622 38622->38289 38623->38318 38625 413d39 38624->38625 38626 413d2f FreeLibrary 38624->38626 38627 40b633 free 38625->38627 38626->38625 38628 413d42 38627->38628 38629 40b633 free 38628->38629 38630 413d4a 38629->38630 38630->38150 38631->38157 38632->38145 38633->38221 38635 44db70 38634->38635 38636 40b6fc memset 38635->38636 38637 409c70 2 API calls 38636->38637 38638 40b732 wcsrchr 38637->38638 38639 40b743 38638->38639 38640 40b746 memset 38638->38640 38639->38640 38641 40b2cc 27 API calls 38640->38641 38642 40b76f 38641->38642 38643 409d1f 6 API calls 38642->38643 38644 40b783 38643->38644 39674 409b98 GetFileAttributesW 38644->39674 38646 40b792 38647 40b7c2 38646->38647 38648 409c70 2 API calls 38646->38648 39675 40bb98 38647->39675 38650 40b7a5 38648->38650 38654 40b2cc 27 API calls 38650->38654 38652 40b837 CloseHandle 38656 40b83e memset 38652->38656 38653 40b817 38655 409a45 3 API calls 38653->38655 38657 40b7b2 38654->38657 38658 40b827 CopyFileW 38655->38658 39708 40a6e6 WideCharToMultiByte 38656->39708 38660 409d1f 6 API calls 38657->38660 38658->38656 38660->38647 38661 40b866 38662 444432 121 API calls 38661->38662 38663 40b879 38662->38663 38664 40bad5 38663->38664 38665 40b273 27 API calls 38663->38665 38666 40baeb 38664->38666 38667 40bade DeleteFileW 38664->38667 38668 40b89a 38665->38668 38669 40b04b ??3@YAXPAX 38666->38669 38667->38666 38671 438552 134 API calls 38668->38671 38670 40baf3 38669->38670 38670->38147 38672 40b8a4 38671->38672 38673 40bacd 38672->38673 38675 4251c4 137 API calls 38672->38675 38674 443d90 111 API calls 38673->38674 38674->38664 38697 40b8b8 38675->38697 38676 40bac6 39718 424f26 123 API calls 38676->39718 38677 40b8bd memset 39709 425413 17 API calls 38677->39709 38680 425413 17 API calls 38680->38697 38683 40a71b MultiByteToWideChar 38683->38697 38686 40b9b5 memcmp 38686->38697 38687 4099c6 2 API calls 38687->38697 38688 404423 38 API calls 38688->38697 38691 4251c4 137 API calls 38691->38697 38692 40bb3e memset memcpy 39719 40a734 MultiByteToWideChar 38692->39719 38694 40bb88 LocalFree 38694->38697 38697->38676 38697->38677 38697->38680 38697->38683 38697->38686 38697->38687 38697->38688 38697->38691 38697->38692 38698 40ba5f memcmp 38697->38698 38699 40a734 MultiByteToWideChar 38697->38699 39710 4253ef 16 API calls 38697->39710 39711 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38697->39711 39712 4253af 17 API calls 38697->39712 39713 4253cf 17 API calls 38697->39713 39714 447280 memset 38697->39714 39715 447960 memset memcpy memcpy memcpy 38697->39715 39716 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38697->39716 39717 447920 memcpy memcpy memcpy 38697->39717 38698->38697 38699->38697 38700->38224 38702 40aed1 38701->38702 38703 40aec7 FindClose 38701->38703 38702->38161 38703->38702 38705 4099d7 38704->38705 38706 4099da memcpy 38704->38706 38705->38706 38706->38208 38708 40b2cc 27 API calls 38707->38708 38709 44543f 38708->38709 38710 409d1f 6 API calls 38709->38710 38711 44544f 38710->38711 39803 409b98 GetFileAttributesW 38711->39803 38713 44545e 38714 445476 38713->38714 38715 40b6ef 253 API calls 38713->38715 38716 40b2cc 27 API calls 38714->38716 38715->38714 38717 445482 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 445492 38718->38719 39804 409b98 GetFileAttributesW 38719->39804 38721 4454a1 38722 4454b9 38721->38722 38723 40b6ef 253 API calls 38721->38723 38722->38233 38723->38722 38724->38232 38725->38256 38726->38259 38727->38296 38728->38278 38729->38325 38730->38325 38731->38307 38732->38337 38733->38339 38734->38341 38736 414c2e 17 API calls 38735->38736 38737 40c2ae 38736->38737 38807 40c1d3 38737->38807 38742 40c3be 38759 40a8ab 38742->38759 38743 40afcf 2 API calls 38744 40c2fd FindFirstUrlCacheEntryW 38743->38744 38745 40c3b6 38744->38745 38746 40c31e wcschr 38744->38746 38747 40b04b ??3@YAXPAX 38745->38747 38748 40c331 38746->38748 38749 40c35e FindNextUrlCacheEntryW 38746->38749 38747->38742 38751 40a8ab 9 API calls 38748->38751 38749->38746 38750 40c373 GetLastError 38749->38750 38752 40c3ad FindCloseUrlCache 38750->38752 38753 40c37e 38750->38753 38754 40c33e wcschr 38751->38754 38752->38745 38755 40afcf 2 API calls 38753->38755 38754->38749 38756 40c34f 38754->38756 38757 40c391 FindNextUrlCacheEntryW 38755->38757 38758 40a8ab 9 API calls 38756->38758 38757->38746 38757->38752 38758->38749 38996 40a97a 38759->38996 38762 40a8cc 38762->38348 38763 40a8d0 7 API calls 38763->38762 39001 40b1ab free free 38764->39001 38766 40c3dd 38767 40b2cc 27 API calls 38766->38767 38768 40c3e7 38767->38768 39002 414592 RegOpenKeyExW 38768->39002 38770 40c3f4 38771 40c50e 38770->38771 38772 40c3ff 38770->38772 38786 405337 38771->38786 38773 40a9ce 4 API calls 38772->38773 38774 40c418 memset 38773->38774 39003 40aa1d 38774->39003 38777 40c471 38779 40c47a _wcsupr 38777->38779 38778 40c505 RegCloseKey 38778->38771 38780 40a8d0 7 API calls 38779->38780 38781 40c498 38780->38781 38782 40a8d0 7 API calls 38781->38782 38783 40c4ac memset 38782->38783 38784 40aa1d 38783->38784 38785 40c4e4 RegEnumValueW 38784->38785 38785->38778 38785->38779 39005 405220 38786->39005 38790 4099c6 2 API calls 38789->38790 38791 40a714 _wcslwr 38790->38791 38792 40c634 38791->38792 39062 405361 38792->39062 38795 40c65c wcslen 39065 4053b6 39 API calls 38795->39065 38796 40c71d wcslen 38796->38362 38798 40c677 38799 40c713 38798->38799 39066 40538b 39 API calls 38798->39066 39068 4053df 39 API calls 38799->39068 38802 40c6a5 38802->38799 38803 40c6a9 memset 38802->38803 38804 40c6d3 38803->38804 39067 40c589 44 API calls 38804->39067 38806->38355 38808 40ae18 9 API calls 38807->38808 38814 40c210 38808->38814 38809 40ae51 9 API calls 38809->38814 38810 40c264 38811 40aebe FindClose 38810->38811 38813 40c26f 38811->38813 38812 40add4 2 API calls 38812->38814 38819 40e5ed memset memset 38813->38819 38814->38809 38814->38810 38814->38812 38815 40c231 _wcsicmp 38814->38815 38816 40c1d3 35 API calls 38814->38816 38815->38814 38817 40c248 38815->38817 38816->38814 38832 40c084 22 API calls 38817->38832 38820 414c2e 17 API calls 38819->38820 38821 40e63f 38820->38821 38822 409d1f 6 API calls 38821->38822 38823 40e658 38822->38823 38833 409b98 GetFileAttributesW 38823->38833 38825 40e667 38827 409d1f 6 API calls 38825->38827 38829 40e680 38825->38829 38827->38829 38828 40e68f 38830 40c2d8 38828->38830 38835 40e4b2 38828->38835 38834 409b98 GetFileAttributesW 38829->38834 38830->38742 38830->38743 38832->38814 38833->38825 38834->38828 38856 40e01e 38835->38856 38837 40e593 38838 40e5b0 38837->38838 38839 40e59c DeleteFileW 38837->38839 38840 40b04b ??3@YAXPAX 38838->38840 38839->38838 38842 40e5bb 38840->38842 38841 40e521 38841->38837 38879 40e175 38841->38879 38844 40e5c4 CloseHandle 38842->38844 38845 40e5cc 38842->38845 38844->38845 38847 40b633 free 38845->38847 38846 40e573 38849 40e584 38846->38849 38850 40e57c CloseHandle 38846->38850 38848 40e5db 38847->38848 38853 40b633 free 38848->38853 38922 40b1ab free free 38849->38922 38850->38849 38852 40e540 38852->38846 38899 40e2ab 38852->38899 38854 40e5e3 38853->38854 38854->38830 38923 406214 38856->38923 38859 40e16b 38859->38841 38862 40afcf 2 API calls 38863 40e08d OpenProcess 38862->38863 38864 40e0a4 GetCurrentProcess DuplicateHandle 38863->38864 38868 40e152 38863->38868 38865 40e0d0 GetFileSize 38864->38865 38866 40e14a CloseHandle 38864->38866 38959 409a45 GetTempPathW 38865->38959 38866->38868 38867 40e160 38871 40b04b ??3@YAXPAX 38867->38871 38868->38867 38870 406214 22 API calls 38868->38870 38870->38867 38871->38859 38872 40e0ea 38962 4096dc CreateFileW 38872->38962 38874 40e0f1 CreateFileMappingW 38875 40e140 CloseHandle CloseHandle 38874->38875 38876 40e10b MapViewOfFile 38874->38876 38875->38866 38877 40e13b CloseHandle 38876->38877 38878 40e11f WriteFile UnmapViewOfFile 38876->38878 38877->38875 38878->38877 38880 40e18c 38879->38880 38963 406b90 38880->38963 38883 40e1a7 memset 38889 40e1e8 38883->38889 38884 40e299 38973 4069a3 38884->38973 38890 40e283 38889->38890 38891 40dd50 _wcsicmp 38889->38891 38897 40e244 _snwprintf 38889->38897 38980 406e8f 13 API calls 38889->38980 38981 40742e 8 API calls 38889->38981 38982 40aae3 wcslen wcslen _memicmp 38889->38982 38983 406b53 SetFilePointerEx ReadFile 38889->38983 38892 40e291 38890->38892 38893 40e288 free 38890->38893 38891->38889 38894 40aa04 free 38892->38894 38893->38892 38894->38884 38898 40a8d0 7 API calls 38897->38898 38898->38889 38900 40e2c2 38899->38900 38901 406b90 11 API calls 38900->38901 38916 40e2d3 38901->38916 38902 40e4a0 38903 4069a3 2 API calls 38902->38903 38904 40e4ab 38903->38904 38904->38852 38907 40e489 38908 40aa04 free 38907->38908 38910 40e491 38908->38910 38909 40dd50 _wcsicmp 38909->38916 38910->38902 38911 40e497 free 38910->38911 38911->38902 38913 40e376 memset 38986 40aa29 38913->38986 38916->38902 38916->38907 38916->38909 38917 40e3e0 memcpy 38916->38917 38918 40e3b3 wcschr 38916->38918 38919 40e3fb memcpy 38916->38919 38920 40e416 memcpy 38916->38920 38921 40e431 memcpy 38916->38921 38984 406e8f 13 API calls 38916->38984 38985 40dd50 _wcsicmp 38916->38985 38994 40742e 8 API calls 38916->38994 38995 406b53 SetFilePointerEx ReadFile 38916->38995 38917->38916 38918->38916 38919->38916 38920->38916 38921->38916 38922->38837 38924 406294 CloseHandle 38923->38924 38925 406224 38924->38925 38926 4096c3 CreateFileW 38925->38926 38927 40622d 38926->38927 38928 406281 GetLastError 38927->38928 38930 40a2ef ReadFile 38927->38930 38929 40625a 38928->38929 38929->38859 38934 40dd85 memset 38929->38934 38931 406244 38930->38931 38931->38928 38932 40624b 38931->38932 38932->38929 38933 406777 19 API calls 38932->38933 38933->38929 38935 409bca GetModuleFileNameW 38934->38935 38936 40ddbe CreateFileW 38935->38936 38939 40ddf1 38936->38939 38937 40afcf ??2@YAPAXI ??3@YAXPAX 38937->38939 38938 41352f 9 API calls 38938->38939 38939->38937 38939->38938 38940 40de0b NtQuerySystemInformation 38939->38940 38941 40de3b CloseHandle GetCurrentProcessId 38939->38941 38940->38939 38942 40de54 38941->38942 38943 413d4c 46 API calls 38942->38943 38951 40de88 38943->38951 38944 40e00c 38945 413d29 free FreeLibrary 38944->38945 38946 40e014 38945->38946 38946->38859 38946->38862 38947 40dea9 _wcsicmp 38948 40dee7 OpenProcess 38947->38948 38949 40debd _wcsicmp 38947->38949 38948->38951 38949->38948 38950 40ded0 _wcsicmp 38949->38950 38950->38948 38950->38951 38951->38944 38951->38947 38952 40dfef CloseHandle 38951->38952 38953 40df78 38951->38953 38954 40df23 GetCurrentProcess DuplicateHandle 38951->38954 38957 40df8f CloseHandle 38951->38957 38952->38951 38953->38952 38953->38957 38958 40dfae _wcsicmp 38953->38958 38954->38951 38955 40df4c memset 38954->38955 38956 41352f 9 API calls 38955->38956 38956->38951 38957->38953 38958->38951 38958->38953 38960 409a74 GetTempFileNameW 38959->38960 38961 409a66 GetWindowsDirectoryW 38959->38961 38960->38872 38961->38960 38962->38874 38964 406bd5 38963->38964 38967 406bad 38963->38967 38966 4066bf free malloc memcpy free free 38964->38966 38972 406c0f 38964->38972 38965 406bba _wcsicmp 38965->38964 38965->38967 38968 406be5 38966->38968 38967->38964 38967->38965 38969 40afcf ??2@YAPAXI ??3@YAXPAX 38968->38969 38968->38972 38970 406bff 38969->38970 38971 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 38970->38971 38971->38972 38972->38883 38972->38884 38974 4069c4 ??3@YAXPAX 38973->38974 38975 4069af 38974->38975 38976 40b633 free 38975->38976 38977 4069ba 38976->38977 38978 40b04b ??3@YAXPAX 38977->38978 38979 4069c2 38978->38979 38979->38852 38980->38889 38981->38889 38982->38889 38983->38889 38984->38916 38985->38913 38987 40aa33 38986->38987 38988 40aa63 38986->38988 38989 40aa44 38987->38989 38990 40aa38 wcslen 38987->38990 38988->38916 38991 40a9ce malloc memcpy free free 38989->38991 38990->38989 38992 40aa4d 38991->38992 38992->38988 38993 40aa51 memcpy 38992->38993 38993->38988 38994->38916 38995->38916 38998 40a980 38996->38998 38997 40a8bb 38997->38762 38997->38763 38998->38997 38999 40a995 _wcsicmp 38998->38999 39000 40a99c wcscmp 38998->39000 38999->38998 39000->38998 39001->38766 39002->38770 39004 40aa23 RegEnumValueW 39003->39004 39004->38777 39004->38778 39006 405335 39005->39006 39007 40522a 39005->39007 39006->38362 39008 40b2cc 27 API calls 39007->39008 39009 405234 39008->39009 39010 40a804 8 API calls 39009->39010 39011 40523a 39010->39011 39050 40b273 39011->39050 39013 405248 _mbscpy _mbscat GetProcAddress 39014 40b273 27 API calls 39013->39014 39015 405279 39014->39015 39053 405211 GetProcAddress 39015->39053 39017 405282 39018 40b273 27 API calls 39017->39018 39019 40528f 39018->39019 39054 405211 GetProcAddress 39019->39054 39021 405298 39022 40b273 27 API calls 39021->39022 39023 4052a5 39022->39023 39055 405211 GetProcAddress 39023->39055 39025 4052ae 39026 40b273 27 API calls 39025->39026 39027 4052bb 39026->39027 39056 405211 GetProcAddress 39027->39056 39029 4052c4 39030 40b273 27 API calls 39029->39030 39031 4052d1 39030->39031 39057 405211 GetProcAddress 39031->39057 39033 4052da 39034 40b273 27 API calls 39033->39034 39035 4052e7 39034->39035 39058 405211 GetProcAddress 39035->39058 39037 4052f0 39038 40b273 27 API calls 39037->39038 39039 4052fd 39038->39039 39051 40b58d 27 API calls 39050->39051 39052 40b18c 39051->39052 39052->39013 39053->39017 39054->39021 39055->39025 39056->39029 39057->39033 39058->39037 39063 405220 39 API calls 39062->39063 39064 405369 39063->39064 39064->38795 39064->38796 39065->38798 39066->38802 39067->38799 39068->38796 39070 40440c FreeLibrary 39069->39070 39071 40436d 39070->39071 39072 40a804 8 API calls 39071->39072 39073 404377 39072->39073 39074 404383 39073->39074 39075 404405 39073->39075 39076 40b273 27 API calls 39074->39076 39075->38368 39075->38369 39075->38373 39077 40438d GetProcAddress 39076->39077 39078 40b273 27 API calls 39077->39078 39079 4043a7 GetProcAddress 39078->39079 39080 40b273 27 API calls 39079->39080 39081 4043ba GetProcAddress 39080->39081 39082 40b273 27 API calls 39081->39082 39083 4043ce GetProcAddress 39082->39083 39084 40b273 27 API calls 39083->39084 39085 4043e2 GetProcAddress 39084->39085 39086 4043f1 39085->39086 39087 4043f7 39086->39087 39088 40440c FreeLibrary 39086->39088 39087->39075 39088->39075 39090 404413 FreeLibrary 39089->39090 39091 40441e 39089->39091 39090->39091 39091->38384 39092->38381 39094 40447e 39093->39094 39095 40442e 39093->39095 39096 404485 CryptUnprotectData 39094->39096 39097 40449c 39094->39097 39098 40b2cc 27 API calls 39095->39098 39096->39097 39097->38381 39099 404438 39098->39099 39100 40a804 8 API calls 39099->39100 39101 40443e 39100->39101 39102 404445 39101->39102 39103 404467 39101->39103 39104 40b273 27 API calls 39102->39104 39103->39094 39105 404475 FreeLibrary 39103->39105 39106 40444f GetProcAddress 39104->39106 39105->39094 39106->39103 39107 404460 39106->39107 39107->39103 39109 4135f6 39108->39109 39110 4135eb FreeLibrary 39108->39110 39109->38387 39110->39109 39112 4449c4 39111->39112 39113 444a52 39111->39113 39114 40b2cc 27 API calls 39112->39114 39113->38404 39113->38405 39115 4449cb 39114->39115 39116 40a804 8 API calls 39115->39116 39117 4449d1 39116->39117 39118 40b273 27 API calls 39117->39118 39119 4449dc GetProcAddress 39118->39119 39132->38415 39133->38415 39134->38415 39135->38415 39136->38406 39138 403a29 39137->39138 39152 403bed memset memset 39138->39152 39140 403a2f 39141 403ae7 39140->39141 39142 403a3f memset 39140->39142 39145 409b98 GetFileAttributesW 39140->39145 39146 40a8d0 7 API calls 39140->39146 39147 409d1f 6 API calls 39140->39147 39165 40b1ab free free 39141->39165 39142->39140 39144 403aef 39144->38422 39145->39140 39146->39140 39147->39140 39149 40a051 GetFileTime CloseHandle 39148->39149 39150 4039ca CompareFileTime 39148->39150 39149->39150 39150->38422 39151->38421 39153 414c2e 17 API calls 39152->39153 39154 403c38 39153->39154 39155 409719 2 API calls 39154->39155 39156 403c3f wcscat 39155->39156 39157 414c2e 17 API calls 39156->39157 39158 403c61 39157->39158 39159 409719 2 API calls 39158->39159 39160 403c68 wcscat 39159->39160 39166 403af5 39160->39166 39163 403af5 20 API calls 39164 403c95 39163->39164 39164->39140 39165->39144 39167 403b02 39166->39167 39168 40ae18 9 API calls 39167->39168 39176 403b37 39168->39176 39169 403bdb 39170 40aebe FindClose 39169->39170 39171 403be6 39170->39171 39171->39163 39172 40ae18 9 API calls 39172->39176 39173 40ae51 9 API calls 39173->39176 39174 40add4 wcscmp wcscmp 39174->39176 39175 40aebe FindClose 39175->39176 39176->39169 39176->39172 39176->39173 39176->39174 39176->39175 39177 40a8d0 7 API calls 39176->39177 39177->39176 39179 409d1f 6 API calls 39178->39179 39180 404190 39179->39180 39193 409b98 GetFileAttributesW 39180->39193 39182 40419c 39183 4041a7 6 API calls 39182->39183 39184 40435c 39182->39184 39186 40424f 39183->39186 39184->38449 39186->39184 39187 40425e memset 39186->39187 39189 409d1f 6 API calls 39186->39189 39190 40a8ab 9 API calls 39186->39190 39194 414842 39186->39194 39187->39186 39188 404296 wcscpy 39187->39188 39188->39186 39189->39186 39191 4042b6 memset memset _snwprintf wcscpy 39190->39191 39191->39186 39192->38447 39193->39182 39197 41443e 39194->39197 39196 414866 39196->39186 39198 41444b 39197->39198 39199 414451 39198->39199 39200 4144a3 GetPrivateProfileStringW 39198->39200 39201 414491 39199->39201 39202 414455 wcschr 39199->39202 39200->39196 39203 414495 WritePrivateProfileStringW 39201->39203 39202->39201 39204 414463 _snwprintf 39202->39204 39203->39196 39204->39203 39205->38453 39207 40b2cc 27 API calls 39206->39207 39208 409615 39207->39208 39209 409d1f 6 API calls 39208->39209 39210 409625 39209->39210 39235 409b98 GetFileAttributesW 39210->39235 39212 409634 39213 409648 39212->39213 39236 4091b8 memset 39212->39236 39215 40b2cc 27 API calls 39213->39215 39217 408801 39213->39217 39216 40965d 39215->39216 39218 409d1f 6 API calls 39216->39218 39217->38456 39217->38484 39219 40966d 39218->39219 39288 409b98 GetFileAttributesW 39219->39288 39221 40967c 39221->39217 39222 409681 39221->39222 39289 409529 72 API calls 39222->39289 39224 409690 39224->39217 39235->39212 39290 40a6e6 WideCharToMultiByte 39236->39290 39238 409202 39291 444432 39238->39291 39241 40b273 27 API calls 39242 409236 39241->39242 39337 438552 39242->39337 39268 40951d 39268->39213 39288->39221 39289->39224 39290->39238 39387 4438b5 39291->39387 39293 44444c 39294 409215 39293->39294 39401 415a6d 39293->39401 39294->39241 39294->39268 39296 4442e6 11 API calls 39298 44469e 39296->39298 39297 444486 39299 4444b9 memcpy 39297->39299 39336 4444a4 39297->39336 39298->39294 39301 443d90 111 API calls 39298->39301 39405 415258 39299->39405 39301->39294 39336->39296 39519 438460 39337->39519 39388 4438d0 39387->39388 39398 4438c9 39387->39398 39475 415378 memcpy memcpy 39388->39475 39398->39293 39402 415a77 39401->39402 39403 415a8d 39402->39403 39404 415a7e memset 39402->39404 39403->39297 39404->39403 39406 4438b5 11 API calls 39405->39406 39531 41703f 39519->39531 39532 417044 39531->39532 39533 41705c 39531->39533 39535 416760 11 API calls 39532->39535 39537 417055 39532->39537 39534 417075 39533->39534 39536 41707a 11 API calls 39533->39536 39535->39537 39536->39532 39658 413f4f 39631->39658 39634 413f37 K32GetModuleFileNameExW 39635 413f4a 39634->39635 39635->38516 39637 413969 wcscpy 39636->39637 39638 41396c wcschr 39636->39638 39648 413a3a 39637->39648 39638->39637 39640 41398e 39638->39640 39663 4097f7 wcslen wcslen _memicmp 39640->39663 39642 41399a 39643 4139a4 memset 39642->39643 39644 4139e6 39642->39644 39664 409dd5 GetWindowsDirectoryW wcscpy 39643->39664 39646 413a31 wcscpy 39644->39646 39647 4139ec memset 39644->39647 39646->39648 39665 409dd5 GetWindowsDirectoryW wcscpy 39647->39665 39648->38516 39649 4139c9 wcscpy wcscat 39649->39648 39651 413a11 memcpy wcscat 39651->39648 39653 413cb0 GetModuleHandleW 39652->39653 39654 413cda 39652->39654 39653->39654 39657 413cbf GetProcAddress 39653->39657 39655 413ce3 GetProcessTimes 39654->39655 39656 413cf6 39654->39656 39655->38518 39656->38518 39657->39654 39659 413f2f 39658->39659 39660 413f54 39658->39660 39659->39634 39659->39635 39661 40a804 8 API calls 39660->39661 39662 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39661->39662 39662->39659 39663->39642 39664->39649 39665->39651 39666->38538 39667->38561 39669 409cf9 GetVersionExW 39668->39669 39670 409d0a 39668->39670 39669->39670 39670->38568 39670->38572 39671->38573 39672->38578 39673->38580 39674->38646 39676 40bba5 39675->39676 39720 40cc26 39676->39720 39679 40bd4b 39741 40cc0c 39679->39741 39684 40b2cc 27 API calls 39685 40bbef 39684->39685 39748 40ccf0 _wcsicmp 39685->39748 39687 40bbf5 39687->39679 39749 40ccb4 6 API calls 39687->39749 39689 40bc26 39690 40cf04 17 API calls 39689->39690 39691 40bc2e 39690->39691 39692 40bd43 39691->39692 39693 40b2cc 27 API calls 39691->39693 39694 40cc0c 4 API calls 39692->39694 39695 40bc40 39693->39695 39694->39679 39750 40ccf0 _wcsicmp 39695->39750 39697 40bc46 39697->39692 39698 40bc61 memset memset WideCharToMultiByte 39697->39698 39751 40103c strlen 39698->39751 39700 40bcc0 39701 40b273 27 API calls 39700->39701 39702 40bcd0 memcmp 39701->39702 39702->39692 39703 40bce2 39702->39703 39704 404423 38 API calls 39703->39704 39705 40bd10 39704->39705 39705->39692 39706 40bd3a LocalFree 39705->39706 39707 40bd1f memcpy 39705->39707 39706->39692 39707->39706 39708->38661 39709->38697 39710->38697 39711->38697 39712->38697 39713->38697 39714->38697 39715->38697 39716->38697 39717->38697 39718->38673 39719->38694 39752 4096c3 CreateFileW 39720->39752 39722 40cc34 39723 40cc3d GetFileSize 39722->39723 39731 40bbca 39722->39731 39724 40afcf 2 API calls 39723->39724 39725 40cc64 39724->39725 39753 40a2ef ReadFile 39725->39753 39727 40cc71 39754 40ab4a MultiByteToWideChar 39727->39754 39729 40cc95 CloseHandle 39730 40b04b ??3@YAXPAX 39729->39730 39730->39731 39731->39679 39732 40cf04 39731->39732 39733 40b633 free 39732->39733 39734 40cf14 39733->39734 39760 40b1ab free free 39734->39760 39736 40bbdd 39736->39679 39736->39684 39737 40cf1b 39737->39736 39738 40cfef 39737->39738 39761 40cd4b 39737->39761 39740 40cd4b 14 API calls 39738->39740 39740->39736 39742 40b633 free 39741->39742 39743 40cc15 39742->39743 39744 40aa04 free 39743->39744 39745 40cc1d 39744->39745 39802 40b1ab free free 39745->39802 39747 40b7d4 memset CreateFileW 39747->38652 39747->38653 39748->39687 39749->39689 39750->39697 39751->39700 39752->39722 39753->39727 39755 40ab6b 39754->39755 39759 40ab93 39754->39759 39756 40a9ce 4 API calls 39755->39756 39757 40ab74 39756->39757 39758 40ab7c MultiByteToWideChar 39757->39758 39758->39759 39759->39729 39760->39737 39762 40cd7b 39761->39762 39763 40aa29 6 API calls 39762->39763 39767 40cd89 39763->39767 39764 40cef5 39765 40aa04 free 39764->39765 39766 40cefd 39765->39766 39766->39737 39767->39764 39768 40aa29 6 API calls 39767->39768 39769 40ce1d 39768->39769 39770 40aa29 6 API calls 39769->39770 39771 40ce3e 39770->39771 39772 40ce6a 39771->39772 39795 40abb7 wcslen memmove 39771->39795 39773 40ce9f 39772->39773 39798 40abb7 wcslen memmove 39772->39798 39776 40a8d0 7 API calls 39773->39776 39779 40ceb5 39776->39779 39777 40ce56 39796 40aa71 wcslen 39777->39796 39778 40ce8b 39799 40aa71 wcslen 39778->39799 39784 40a8d0 7 API calls 39779->39784 39782 40ce5e 39797 40abb7 wcslen memmove 39782->39797 39786 40cecb 39784->39786 39785 40ce93 39800 40abb7 wcslen memmove 39785->39800 39801 40d00b malloc memcpy free free 39786->39801 39789 40cedd 39790 40aa04 free 39789->39790 39791 40cee5 39790->39791 39792 40aa04 free 39791->39792 39793 40ceed 39792->39793 39794 40aa04 free 39793->39794 39794->39764 39795->39777 39796->39782 39797->39772 39798->39778 39799->39785 39800->39773 39801->39789 39802->39747 39803->38713 39804->38721 39805 4415ea 39813 4304b2 39805->39813 39807 4415fe 39808 4418ea 39807->39808 39809 4418e2 39807->39809 39812 442bd4 39807->39812 39809->39808 39860 4414a9 12 API calls 39809->39860 39812->39808 39861 441409 memset 39812->39861 39862 43041c 12 API calls 39813->39862 39815 4304cd 39820 430557 39815->39820 39863 43034a memcpy 39815->39863 39817 4304f3 39817->39820 39864 430468 11 API calls 39817->39864 39819 430506 39819->39820 39821 43057b 39819->39821 39865 43817e 39819->39865 39820->39807 39822 415a91 memset 39821->39822 39824 430584 39822->39824 39824->39820 39870 4397fd memset 39824->39870 39826 4305e4 39826->39820 39871 4328e4 12 API calls 39826->39871 39828 43052d 39828->39820 39828->39821 39831 430542 39828->39831 39830 4305fa 39832 430609 39830->39832 39872 423383 11 API calls 39830->39872 39831->39820 39869 4169a7 11 API calls 39831->39869 39873 423330 11 API calls 39832->39873 39835 430634 39874 423399 11 API calls 39835->39874 39837 430648 39875 4233ae 11 API calls 39837->39875 39839 43066b 39876 423330 11 API calls 39839->39876 39841 43067d 39877 4233ae 11 API calls 39841->39877 39843 430695 39878 423330 11 API calls 39843->39878 39845 4306d6 39880 423330 11 API calls 39845->39880 39846 4306a7 39846->39845 39848 4306c0 39846->39848 39879 4233ae 11 API calls 39848->39879 39849 4306d1 39881 430369 17 API calls 39849->39881 39852 4306f3 39882 423330 11 API calls 39852->39882 39854 430704 39883 423330 11 API calls 39854->39883 39856 430710 39884 423330 11 API calls 39856->39884 39858 43071e 39885 423383 11 API calls 39858->39885 39860->39808 39861->39812 39862->39815 39863->39817 39864->39819 39866 438187 39865->39866 39868 438192 39865->39868 39886 4380f6 39866->39886 39868->39828 39869->39820 39870->39826 39871->39830 39872->39832 39873->39835 39874->39837 39875->39839 39876->39841 39877->39843 39878->39846 39879->39849 39880->39849 39881->39852 39882->39854 39883->39856 39884->39858 39885->39820 39888 43811f 39886->39888 39887 438164 39887->39868 39888->39887 39891 437e5e 39888->39891 39914 4300e8 memset memset memcpy 39888->39914 39915 437d3c 39891->39915 39893 437eb3 39893->39888 39894 437ea9 39894->39893 39900 437f22 39894->39900 39930 41f432 39894->39930 39897 437f06 39980 415c56 11 API calls 39897->39980 39899 437f95 39981 415c56 11 API calls 39899->39981 39901 437f7f 39900->39901 39902 432d4e 3 API calls 39900->39902 39901->39899 39903 43802b 39901->39903 39902->39901 39941 4165ff 39903->39941 39909 43806b 39910 438094 39909->39910 39982 42f50e 138 API calls 39909->39982 39911 437fa3 39910->39911 39983 4300e8 memset memset memcpy 39910->39983 39911->39893 39984 41f638 104 API calls 39911->39984 39914->39888 39916 437d69 39915->39916 39919 437d80 39915->39919 39985 437ccb 11 API calls 39916->39985 39918 437d76 39918->39894 39919->39918 39920 437da3 39919->39920 39921 437d90 39919->39921 39923 438460 134 API calls 39920->39923 39921->39918 39989 437ccb 11 API calls 39921->39989 39925 437dcb 39923->39925 39929 437de8 39925->39929 39986 444283 13 API calls 39925->39986 39927 437dfc 39987 437ccb 11 API calls 39927->39987 39988 424f26 123 API calls 39929->39988 39931 41f54d 39930->39931 39934 41f44f 39930->39934 39932 41f466 39931->39932 40019 41c635 memset memset 39931->40019 39932->39897 39932->39900 39934->39932 39939 41f50b 39934->39939 39990 41f1a5 39934->39990 40015 41c06f memcmp 39934->40015 40016 41f3b1 90 API calls 39934->40016 40017 41f398 86 API calls 39934->40017 39939->39931 39939->39932 40018 41c295 86 API calls 39939->40018 39942 4165a0 11 API calls 39941->39942 39943 41660d 39942->39943 39944 437371 39943->39944 39945 41703f 11 API calls 39944->39945 39946 437399 39945->39946 39947 43739d 39946->39947 39948 4373ac 39946->39948 40106 4446ea 11 API calls 39947->40106 39950 416935 16 API calls 39948->39950 39973 4373ca 39950->39973 39951 437584 39953 4375bc 39951->39953 40113 42453e 123 API calls 39951->40113 39952 438460 134 API calls 39952->39973 39955 415c7d 16 API calls 39953->39955 39956 4375d2 39955->39956 39958 4442e6 11 API calls 39956->39958 39960 4373a7 39956->39960 39957 4251c4 137 API calls 39957->39973 39959 4375e2 39958->39959 39959->39960 40114 444283 13 API calls 39959->40114 39960->39909 39962 415a91 memset 39962->39973 39965 43758f 40112 42453e 123 API calls 39965->40112 39968 4375f4 39971 437620 39968->39971 39972 43760b 39968->39972 39970 43759f 39974 416935 16 API calls 39970->39974 39976 416935 16 API calls 39971->39976 40115 444283 13 API calls 39972->40115 39973->39951 39973->39952 39973->39957 39973->39962 39973->39965 39979 437d3c 135 API calls 39973->39979 40107 425433 13 API calls 39973->40107 40108 425413 17 API calls 39973->40108 40109 42533e 16 API calls 39973->40109 40110 42538f 16 API calls 39973->40110 40111 42453e 123 API calls 39973->40111 39974->39951 39976->39960 39978 437612 memcpy 39978->39960 39979->39973 39980->39893 39981->39911 39982->39910 39983->39911 39984->39893 39985->39918 39986->39927 39987->39929 39988->39918 39989->39918 40020 41bc3b 39990->40020 39993 41edad 86 API calls 39994 41f1cb 39993->39994 39995 41f1f5 memcmp 39994->39995 39996 41f20e 39994->39996 40000 41f282 39994->40000 39995->39996 39997 41f21b memcmp 39996->39997 39996->40000 39998 41f326 39997->39998 40001 41f23d 39997->40001 39999 41ee6b 86 API calls 39998->39999 39998->40000 39999->40000 40000->39934 40001->39998 40002 41f28e memcmp 40001->40002 40044 41c8df 56 API calls 40001->40044 40002->39998 40003 41f2a9 40002->40003 40003->39998 40006 41f308 40003->40006 40007 41f2d8 40003->40007 40005 41f269 40005->39998 40008 41f287 40005->40008 40009 41f27a 40005->40009 40006->39998 40046 4446ce 11 API calls 40006->40046 40010 41ee6b 86 API calls 40007->40010 40008->40002 40011 41ee6b 86 API calls 40009->40011 40012 41f2e0 40010->40012 40011->40000 40045 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40012->40045 40015->39934 40016->39934 40017->39934 40018->39931 40019->39932 40021 41be0b 40020->40021 40023 41bc54 40020->40023 40024 41bd61 40021->40024 40055 41ae17 34 API calls 40021->40055 40023->40021 40023->40024 40035 41bc8d 40023->40035 40047 41baf0 55 API calls 40023->40047 40026 41be45 40024->40026 40056 41a25f memset 40024->40056 40026->39993 40026->40000 40028 41be04 40054 41aee4 56 API calls 40028->40054 40030 41bd42 40030->40024 40030->40028 40031 41bdd8 memset 40030->40031 40032 41bdba 40030->40032 40033 41bde7 memcmp 40031->40033 40043 4175ed 6 API calls 40032->40043 40033->40028 40036 41bdfd 40033->40036 40034 41bd18 40034->40024 40034->40030 40052 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40034->40052 40035->40024 40035->40030 40035->40034 40048 4151e3 40035->40048 40053 41a1b0 memset 40036->40053 40039 41bdcc 40039->40024 40039->40033 40043->40039 40044->40005 40045->40000 40046->39998 40047->40035 40057 41837f 40048->40057 40051 444706 11 API calls 40051->40034 40052->40030 40053->40028 40054->40021 40055->40024 40056->40026 40058 4183c1 40057->40058 40059 4183ca 40057->40059 40104 418197 25 API calls 40058->40104 40062 4151f9 40059->40062 40078 418160 40059->40078 40062->40034 40062->40051 40063 4183e5 40063->40062 40087 41739b 40063->40087 40066 418444 CreateFileW 40068 418477 40066->40068 40067 41845f CreateFileA 40067->40068 40069 4184c2 memset 40068->40069 40070 41847e GetLastError free 40068->40070 40090 418758 40069->40090 40071 4184b5 40070->40071 40072 418497 40070->40072 40105 444706 11 API calls 40071->40105 40074 41837f 49 API calls 40072->40074 40074->40062 40079 41739b GetVersionExW 40078->40079 40080 418165 40079->40080 40082 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 40080->40082 40083 418178 40082->40083 40084 41817f 40083->40084 40085 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 40083->40085 40084->40063 40086 418188 free 40085->40086 40086->40063 40088 4173d6 40087->40088 40089 4173ad GetVersionExW 40087->40089 40088->40066 40088->40067 40089->40088 40091 418680 43 API calls 40090->40091 40092 418782 40091->40092 40093 418160 11 API calls 40092->40093 40095 418506 free 40092->40095 40094 418799 40093->40094 40094->40095 40096 41739b GetVersionExW 40094->40096 40095->40062 40097 4187a7 40096->40097 40098 4187da 40097->40098 40099 4187ad GetDiskFreeSpaceW 40097->40099 40100 4187ec GetDiskFreeSpaceA 40098->40100 40103 4187e8 40098->40103 40102 418800 free 40099->40102 40100->40102 40102->40095 40103->40100 40104->40059 40105->40062 40106->39960 40107->39973 40108->39973 40109->39973 40110->39973 40111->39973 40112->39970 40113->39953 40114->39968 40115->39978 40116 4147f3 40119 414561 40116->40119 40118 414813 40120 41456d 40119->40120 40121 41457f GetPrivateProfileIntW 40119->40121 40124 4143f1 memset _itow WritePrivateProfileStringW 40120->40124 40121->40118 40123 41457a 40123->40118 40124->40123 40125 44def7 40126 44df07 40125->40126 40127 44df00 ??3@YAXPAX 40125->40127 40128 44df17 40126->40128 40129 44df10 ??3@YAXPAX 40126->40129 40127->40126 40130 44df27 40128->40130 40131 44df20 ??3@YAXPAX 40128->40131 40129->40128 40132 44df37 40130->40132 40133 44df30 ??3@YAXPAX 40130->40133 40131->40130 40133->40132 40134 4148b6 FindResourceW 40135 4148f9 40134->40135 40136 4148cf SizeofResource 40134->40136 40136->40135 40137 4148e0 LoadResource 40136->40137 40137->40135 40138 4148ee LockResource 40137->40138 40138->40135 40139 441b3f 40149 43a9f6 40139->40149 40141 441b61 40322 4386af memset 40141->40322 40143 44189a 40144 442bd4 40143->40144 40145 4418e2 40143->40145 40146 4418ea 40144->40146 40324 441409 memset 40144->40324 40145->40146 40323 4414a9 12 API calls 40145->40323 40150 43aa20 40149->40150 40151 43aadf 40149->40151 40150->40151 40152 43aa34 memset 40150->40152 40151->40141 40153 43aa56 40152->40153 40154 43aa4d 40152->40154 40325 43a6e7 40153->40325 40333 42c02e memset 40154->40333 40159 43aad3 40335 4169a7 11 API calls 40159->40335 40160 43aaae 40160->40151 40160->40159 40175 43aae5 40160->40175 40162 43ac18 40164 43ac47 40162->40164 40337 42bbd5 memcpy memcpy memcpy memset memcpy 40162->40337 40165 43aca8 40164->40165 40338 438eed 16 API calls 40164->40338 40169 43acd5 40165->40169 40340 4233ae 11 API calls 40165->40340 40168 43ac87 40339 4233c5 16 API calls 40168->40339 40341 423426 11 API calls 40169->40341 40173 43ace1 40342 439811 163 API calls 40173->40342 40174 43a9f6 161 API calls 40174->40175 40175->40151 40175->40162 40175->40174 40336 439bbb 22 API calls 40175->40336 40177 43acfd 40183 43ad2c 40177->40183 40343 438eed 16 API calls 40177->40343 40179 43ad19 40344 4233c5 16 API calls 40179->40344 40180 43ad58 40345 44081d 163 API calls 40180->40345 40183->40180 40185 43add9 40183->40185 40185->40185 40349 423426 11 API calls 40185->40349 40186 43ae3a memset 40187 43ae73 40186->40187 40350 42e1c0 147 API calls 40187->40350 40188 43adab 40347 438c4e 163 API calls 40188->40347 40190 43ad6c 40190->40151 40190->40188 40346 42370b memset memcpy memset 40190->40346 40192 43ae96 40351 42e1c0 147 API calls 40192->40351 40194 43adcc 40348 440f84 12 API calls 40194->40348 40197 43aea8 40198 43aec1 40197->40198 40352 42e199 147 API calls 40197->40352 40200 43af00 40198->40200 40353 42e1c0 147 API calls 40198->40353 40200->40151 40203 43af1a 40200->40203 40204 43b3d9 40200->40204 40354 438eed 16 API calls 40203->40354 40209 43b3f6 40204->40209 40216 43b4c8 40204->40216 40206 43b60f 40206->40151 40413 4393a5 17 API calls 40206->40413 40207 43af2f 40355 4233c5 16 API calls 40207->40355 40395 432878 12 API calls 40209->40395 40211 43af51 40356 423426 11 API calls 40211->40356 40214 43af7d 40357 423426 11 API calls 40214->40357 40215 43b4f2 40402 43a76c 21 API calls 40215->40402 40216->40215 40401 42bbd5 memcpy memcpy memcpy memset memcpy 40216->40401 40220 43b529 40403 44081d 163 API calls 40220->40403 40221 43af94 40358 423330 11 API calls 40221->40358 40225 43b47e 40229 43b497 40225->40229 40398 42374a memcpy memset memcpy memcpy memcpy 40225->40398 40226 43b544 40230 43b55c 40226->40230 40404 42c02e memset 40226->40404 40227 43b428 40248 43b462 40227->40248 40396 432b60 16 API calls 40227->40396 40228 43afca 40359 423330 11 API calls 40228->40359 40399 4233ae 11 API calls 40229->40399 40405 43a87a 163 API calls 40230->40405 40235 43afdb 40360 4233ae 11 API calls 40235->40360 40237 43b4b1 40400 423399 11 API calls 40237->40400 40239 43b56c 40249 43b58a 40239->40249 40406 423330 11 API calls 40239->40406 40241 43afee 40361 44081d 163 API calls 40241->40361 40243 43b4c1 40409 42db80 163 API calls 40243->40409 40247 43b592 40408 43a82f 16 API calls 40247->40408 40397 423330 11 API calls 40248->40397 40407 440f84 12 API calls 40249->40407 40252 43b5b4 40410 438c4e 163 API calls 40252->40410 40254 43b5cf 40411 42c02e memset 40254->40411 40256 43b005 40256->40151 40259 43b01f 40256->40259 40362 42d836 163 API calls 40256->40362 40257 43b1ef 40372 4233c5 16 API calls 40257->40372 40259->40257 40370 423330 11 API calls 40259->40370 40371 42d71d 163 API calls 40259->40371 40260 43b212 40373 423330 11 API calls 40260->40373 40263 43add4 40263->40206 40412 438f86 16 API calls 40263->40412 40266 43b087 40363 4233ae 11 API calls 40266->40363 40267 43b22a 40374 42ccb5 11 API calls 40267->40374 40270 43b10f 40366 423330 11 API calls 40270->40366 40271 43b23f 40375 4233ae 11 API calls 40271->40375 40273 43b257 40376 4233ae 11 API calls 40273->40376 40277 43b26e 40377 4233ae 11 API calls 40277->40377 40278 43b129 40367 4233ae 11 API calls 40278->40367 40281 43b09a 40281->40270 40364 42cc15 19 API calls 40281->40364 40365 4233ae 11 API calls 40281->40365 40282 43b282 40378 43a87a 163 API calls 40282->40378 40284 43b13c 40368 440f84 12 API calls 40284->40368 40286 43b29d 40379 423330 11 API calls 40286->40379 40289 43b15f 40369 4233ae 11 API calls 40289->40369 40290 43b2af 40292 43b2b8 40290->40292 40293 43b2ce 40290->40293 40380 4233ae 11 API calls 40292->40380 40381 440f84 12 API calls 40293->40381 40296 43b2c9 40383 4233ae 11 API calls 40296->40383 40297 43b2da 40382 42370b memset memcpy memset 40297->40382 40300 43b2f9 40384 423330 11 API calls 40300->40384 40302 43b30b 40385 423330 11 API calls 40302->40385 40304 43b325 40386 423399 11 API calls 40304->40386 40306 43b332 40387 4233ae 11 API calls 40306->40387 40308 43b354 40388 423399 11 API calls 40308->40388 40310 43b364 40389 43a82f 16 API calls 40310->40389 40312 43b370 40390 42db80 163 API calls 40312->40390 40314 43b380 40391 438c4e 163 API calls 40314->40391 40316 43b39e 40392 423399 11 API calls 40316->40392 40318 43b3ae 40393 43a76c 21 API calls 40318->40393 40320 43b3c3 40394 423399 11 API calls 40320->40394 40322->40143 40323->40146 40324->40144 40326 43a6f5 40325->40326 40327 43a765 40325->40327 40326->40327 40414 42a115 40326->40414 40327->40151 40334 4397fd memset 40327->40334 40331 43a73d 40331->40327 40332 42a115 147 API calls 40331->40332 40332->40327 40333->40153 40334->40160 40335->40151 40336->40175 40337->40164 40338->40168 40339->40165 40340->40169 40341->40173 40342->40177 40343->40179 40344->40183 40345->40190 40346->40188 40347->40194 40348->40263 40349->40186 40350->40192 40351->40197 40352->40198 40353->40198 40354->40207 40355->40211 40356->40214 40357->40221 40358->40228 40359->40235 40360->40241 40361->40256 40362->40266 40363->40281 40364->40281 40365->40281 40366->40278 40367->40284 40368->40289 40369->40259 40370->40259 40371->40259 40372->40260 40373->40267 40374->40271 40375->40273 40376->40277 40377->40282 40378->40286 40379->40290 40380->40296 40381->40297 40382->40296 40383->40300 40384->40302 40385->40304 40386->40306 40387->40308 40388->40310 40389->40312 40390->40314 40391->40316 40392->40318 40393->40320 40394->40263 40395->40227 40396->40248 40397->40225 40398->40229 40399->40237 40400->40243 40401->40215 40402->40220 40403->40226 40404->40230 40405->40239 40406->40249 40407->40247 40408->40243 40409->40252 40410->40254 40411->40263 40412->40206 40413->40151 40415 42a175 40414->40415 40417 42a122 40414->40417 40415->40327 40420 42b13b 147 API calls 40415->40420 40417->40415 40418 42a115 147 API calls 40417->40418 40421 43a174 40417->40421 40445 42a0a8 147 API calls 40417->40445 40418->40417 40420->40331 40435 43a196 40421->40435 40436 43a19e 40421->40436 40422 43a306 40422->40435 40458 4388c4 14 API calls 40422->40458 40425 42a115 147 API calls 40425->40436 40426 415a91 memset 40426->40436 40427 43a642 40427->40435 40462 4169a7 11 API calls 40427->40462 40429 4165ff 11 API calls 40429->40436 40431 43a635 40461 42c02e memset 40431->40461 40435->40417 40436->40422 40436->40425 40436->40426 40436->40429 40436->40435 40446 42ff8c 40436->40446 40454 439504 13 API calls 40436->40454 40455 4312d0 147 API calls 40436->40455 40456 42be4c memcpy memcpy memcpy memset memcpy 40436->40456 40457 43a121 11 API calls 40436->40457 40438 4169a7 11 API calls 40439 43a325 40438->40439 40439->40427 40439->40431 40439->40435 40439->40438 40440 42b5b5 memset memcpy 40439->40440 40441 42bf4c 14 API calls 40439->40441 40444 4165ff 11 API calls 40439->40444 40459 42b63e 14 API calls 40439->40459 40460 42bfcf memcpy 40439->40460 40440->40439 40441->40439 40444->40439 40445->40417 40447 43817e 139 API calls 40446->40447 40448 42ff99 40447->40448 40449 42ffe3 40448->40449 40450 42ffd0 40448->40450 40453 42ff9d 40448->40453 40464 4169a7 11 API calls 40449->40464 40463 4169a7 11 API calls 40450->40463 40453->40436 40454->40436 40455->40436 40456->40436 40457->40436 40458->40439 40459->40439 40460->40439 40461->40427 40462->40435 40463->40453 40464->40453 40465 441819 40468 430737 40465->40468 40467 441825 40469 430756 40468->40469 40481 43076d 40468->40481 40470 430774 40469->40470 40471 43075f 40469->40471 40483 43034a memcpy 40470->40483 40482 4169a7 11 API calls 40471->40482 40474 4307ce 40476 430819 memset 40474->40476 40484 415b2c 11 API calls 40474->40484 40475 43077e 40475->40474 40479 4307fa 40475->40479 40475->40481 40476->40481 40478 4307e9 40478->40476 40478->40481 40485 4169a7 11 API calls 40479->40485 40481->40467 40482->40481 40483->40475 40484->40478 40485->40481 40486 41493c EnumResourceNamesW

                                                                                                                            Executed Functions

                                                                                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                            • API String ID: 708747863-3398334509
                                                                                                                            • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                            • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                            • free.MSVCRT ref: 00418803
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1355100292-0
                                                                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                            Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 767404330-0
                                                                                                                            • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                            • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$FirstNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1690352074-0
                                                                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0041898C
                                                                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoSystemmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3558857096-0
                                                                                                                            • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                            • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 41 445823-445826 14->41 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 50 445879-44587c 18->50 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 32 445605-445607 22->32 33 445603 22->33 30 4459f2-4459fa 23->30 31 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->31 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 43 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 30->43 44 445b29-445b32 30->44 145 4459d0-4459e8 call 40b6ef 31->145 146 4459ed 31->146 32->21 37 445609-44560d 32->37 33->32 37->21 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 37->48 38->3 39->38 51 44584c-445854 call 40b1ab 41->51 52 445828 41->52 182 445b08-445b15 call 40ae51 43->182 53 445c7c-445c85 44->53 54 445b38-445b96 memset * 3 44->54 156 445665-445670 call 40b1ab 48->156 157 445643-445663 call 40a9b5 call 4087b3 48->157 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 82 445fae-445fb2 60->82 83 445d2b-445d3b 60->83 160 445cf5 61->160 161 445cfc-445d03 61->161 64->19 75 445884-44589d call 40a9b5 call 4087b3 65->75 143 445849 66->143 249 445c77 67->249 68->67 76 445ba2-445bcf call 4099c6 call 445403 call 445389 68->76 148 44589f 75->148 76->53 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 110 4456ba-4456c4 78->110 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 193 445e17 99->193 194 445e1e-445e25 99->194 123 4457f9 110->123 124 4456ca-4456d3 call 413cfa call 413d4c 110->124 123->6 174 4456d8-4456f7 call 40b2cc call 413fa6 124->174 140->141 141->23 143->51 145->146 146->30 148->64 150->78 150->93 156->110 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->60 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 193->194 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 194->198 199 445e6b-445e7e call 445093 194->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->44 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 254 445f9b 220->254 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->53 254->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004455C2
                                                                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                            • memset.MSVCRT ref: 0044570D
                                                                                                                            • memset.MSVCRT ref: 00445725
                                                                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                            • memset.MSVCRT ref: 0044573D
                                                                                                                            • memset.MSVCRT ref: 00445755
                                                                                                                            • memset.MSVCRT ref: 004458CB
                                                                                                                            • memset.MSVCRT ref: 004458E3
                                                                                                                            • memset.MSVCRT ref: 0044596E
                                                                                                                            • memset.MSVCRT ref: 00445A10
                                                                                                                            • memset.MSVCRT ref: 00445A28
                                                                                                                            • memset.MSVCRT ref: 00445AC6
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                            • memset.MSVCRT ref: 00445B52
                                                                                                                            • memset.MSVCRT ref: 00445B6A
                                                                                                                            • memset.MSVCRT ref: 00445C9B
                                                                                                                            • memset.MSVCRT ref: 00445CB3
                                                                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                            • memset.MSVCRT ref: 00445B82
                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                            • memset.MSVCRT ref: 00445986
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                            • API String ID: 1963886904-3798722523
                                                                                                                            • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                            • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                            • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                                            • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                                                                            • API String ID: 2744995895-28296030
                                                                                                                            • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                            • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040B71C
                                                                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                            • memset.MSVCRT ref: 0040B756
                                                                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                            • memset.MSVCRT ref: 0040B851
                                                                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                              • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                            • memset.MSVCRT ref: 0040BB53
                                                                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                            • String ID: chp$v10
                                                                                                                            • API String ID: 1297422669-2783969131
                                                                                                                            • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                            • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                            • free.MSVCRT ref: 0040E49A
                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                            • memset.MSVCRT ref: 0040E380
                                                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                            • API String ID: 3849927982-2252543386
                                                                                                                            • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                            • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004091E2
                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3715365532-3916222277
                                                                                                                            • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                            • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                            • memset.MSVCRT ref: 00413D7F
                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                            • memset.MSVCRT ref: 00413E07
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                            • free.MSVCRT ref: 00413EC1
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                            • API String ID: 1344430650-1740548384
                                                                                                                            • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                            • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                            • String ID: bhv
                                                                                                                            • API String ID: 4234240956-2689659898
                                                                                                                            • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                            • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                            • API String ID: 2941347001-70141382
                                                                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040C298
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                            • String ID: visited:
                                                                                                                            • API String ID: 2470578098-1702587658
                                                                                                                            • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                            • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                            • free.MSVCRT ref: 0040E28B
                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                            • API String ID: 2804212203-2982631422
                                                                                                                            • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                            • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                            Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                            • String ID: AE$BIN
                                                                                                                            • API String ID: 1668488027-3931574542
                                                                                                                            • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                            • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                            • memset.MSVCRT ref: 0040BC75
                                                                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 115830560-3916222277
                                                                                                                            • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                            • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 852 418506-418515 free 845->852 846->845 852->830
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                            • free.MSVCRT ref: 0041848B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile$ErrorLastfree
                                                                                                                            • String ID: |A
                                                                                                                            • API String ID: 77810686-1717621600
                                                                                                                            • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                            • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0041249C
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                            • String ID: r!A
                                                                                                                            • API String ID: 2791114272-628097481
                                                                                                                            • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                            • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                            • API String ID: 2936932814-4196376884
                                                                                                                            • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                            • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                            Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040A824
                                                                                                                            • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                                                                            • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                            • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                            • String ID: C:\Windows\system32
                                                                                                                            • API String ID: 669240632-2896066436
                                                                                                                            • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                            • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                            • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                            • memset.MSVCRT ref: 0040BE91
                                                                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 697348961-0
                                                                                                                            • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                            • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00403CBF
                                                                                                                            • memset.MSVCRT ref: 00403CD4
                                                                                                                            • memset.MSVCRT ref: 00403CE9
                                                                                                                            • memset.MSVCRT ref: 00403CFE
                                                                                                                            • memset.MSVCRT ref: 00403D13
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                            • memset.MSVCRT ref: 00403DDA
                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                                                                            • API String ID: 4039892925-11920434
                                                                                                                            • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                            • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00403E50
                                                                                                                            • memset.MSVCRT ref: 00403E65
                                                                                                                            • memset.MSVCRT ref: 00403E7A
                                                                                                                            • memset.MSVCRT ref: 00403E8F
                                                                                                                            • memset.MSVCRT ref: 00403EA4
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                            • memset.MSVCRT ref: 00403F6B
                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                            • API String ID: 4039892925-2068335096
                                                                                                                            • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                            • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00403FE1
                                                                                                                            • memset.MSVCRT ref: 00403FF6
                                                                                                                            • memset.MSVCRT ref: 0040400B
                                                                                                                            • memset.MSVCRT ref: 00404020
                                                                                                                            • memset.MSVCRT ref: 00404035
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                            • memset.MSVCRT ref: 004040FC
                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                            • API String ID: 4039892925-3369679110
                                                                                                                            • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                            • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy
                                                                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                            • API String ID: 3510742995-2641926074
                                                                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                            • memset.MSVCRT ref: 004033B7
                                                                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                            • String ID: $0.@
                                                                                                                            • API String ID: 2758756878-1896041820
                                                                                                                            • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                            • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2941347001-0
                                                                                                                            • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                            • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00403C09
                                                                                                                            • memset.MSVCRT ref: 00403C1E
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                            • API String ID: 1534475566-1174173950
                                                                                                                            • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                            • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                            Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                            • memset.MSVCRT ref: 00414C87
                                                                                                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                            Strings
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                            • API String ID: 71295984-2036018995
                                                                                                                            • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                            • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • wcschr.MSVCRT ref: 00414458
                                                                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                            • String ID: "%s"
                                                                                                                            • API String ID: 1343145685-3297466227
                                                                                                                            • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                            • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                                                                            • API String ID: 1714573020-3385500049
                                                                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004087D6
                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                            • memset.MSVCRT ref: 00408828
                                                                                                                            • memset.MSVCRT ref: 00408840
                                                                                                                            • memset.MSVCRT ref: 00408858
                                                                                                                            • memset.MSVCRT ref: 00408870
                                                                                                                            • memset.MSVCRT ref: 00408888
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2911713577-0
                                                                                                                            • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                            • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcmp
                                                                                                                            • String ID: @ $SQLite format 3
                                                                                                                            • API String ID: 1475443563-3708268960
                                                                                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsicmpqsort
                                                                                                                            • String ID: /nosort$/sort
                                                                                                                            • API String ID: 1579243037-1578091866
                                                                                                                            • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                            • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040E60F
                                                                                                                            • memset.MSVCRT ref: 0040E629
                                                                                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                            Strings
                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                            • API String ID: 2887208581-2114579845
                                                                                                                            • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                            • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3473537107-0
                                                                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(020C0048), ref: 0044DF01
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(020D0050), ref: 0044DF11
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00636DB0), ref: 0044DF21
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(020D0458), ref: 0044DF31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??3@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 613200358-0
                                                                                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset
                                                                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                            • API String ID: 2221118986-1725073988
                                                                                                                            • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                            • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??3@DeleteObject
                                                                                                                            • String ID: r!A
                                                                                                                            • API String ID: 1103273653-628097481
                                                                                                                            • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                            • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??2@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1033339047-0
                                                                                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$memcmp
                                                                                                                            • String ID: $$8
                                                                                                                            • API String ID: 2808797137-435121686
                                                                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1979745280-0
                                                                                                                            • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                            • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                            • memset.MSVCRT ref: 00403A55
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                            • String ID: history.dat$places.sqlite
                                                                                                                            • API String ID: 2641622041-467022611
                                                                                                                            • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                            • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$File$PointerRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 839530781-0
                                                                                                                            • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                            • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFindFirst
                                                                                                                            • String ID: *.*$index.dat
                                                                                                                            • API String ID: 1974802433-2863569691
                                                                                                                            • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                            • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1156039329-0
                                                                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3397143404-0
                                                                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1125800050-0
                                                                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                            • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleSleep
                                                                                                                            • String ID: }A
                                                                                                                            • API String ID: 252777609-2138825249
                                                                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • malloc.MSVCRT ref: 00409A10
                                                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                            • free.MSVCRT ref: 00409A31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: freemallocmemcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3056473165-0
                                                                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: d
                                                                                                                            • API String ID: 0-2564639436
                                                                                                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset
                                                                                                                            • String ID: BINARY
                                                                                                                            • API String ID: 2221118986-907554435
                                                                                                                            • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                            • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsicmp
                                                                                                                            • String ID: /stext
                                                                                                                            • API String ID: 2081463915-3817206916
                                                                                                                            • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                            • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2445788494-0
                                                                                                                            • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                            • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                            Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: malloc
                                                                                                                            • String ID: failed to allocate %u bytes of memory
                                                                                                                            • API String ID: 2803490479-1168259600
                                                                                                                            • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                                            • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                            • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                                            • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcmpmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1065087418-0
                                                                                                                            • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                            • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                            • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1381354015-0
                                                                                                                            • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                            • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                            Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2221118986-0
                                                                                                                            • Opcode ID: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                                                                                                            • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                            • Opcode Fuzzy Hash: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                                                                                                            • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1294909896-0
                                                                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2154303073-0
                                                                                                                            • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                            • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3150196962-0
                                                                                                                            • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                            • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$PointerRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3154509469-0
                                                                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4232544981-0
                                                                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3664257935-0
                                                                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$FileModuleName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3859505661-0
                                                                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2738559852-0
                                                                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3934441357-0
                                                                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3664257935-0
                                                                                                                            • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                            • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??3@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 613200358-0
                                                                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3664257935-0
                                                                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumNamesResource
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3334572018-0
                                                                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3664257935-0
                                                                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFind
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1863332320-0
                                                                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 71445658-0
                                                                                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                                                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                            • Opcode Fuzzy Hash: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                                                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004095FC
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3655998216-0
                                                                                                                            • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                            • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00445426
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1828521557-0
                                                                                                                            • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                            • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                            Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                              • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                            • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??2@FilePointermemcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 609303285-0
                                                                                                                            • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                            • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                            Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsicmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2081463915-0
                                                                                                                            • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                            • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2136311172-0
                                                                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??2@??3@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1936579350-0
                                                                                                                            • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                            • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1294909896-0
                                                                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                            Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1294909896-0
                                                                                                                            • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                            • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                                            • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                            • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                                            Non-executed Functions

                                                                                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                            • free.MSVCRT ref: 00418370
                                                                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                            • String ID: OsError 0x%x (%u)
                                                                                                                            • API String ID: 2360000266-2664311388
                                                                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                            Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Version
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1889659487-0
                                                                                                                            • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                            • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                            • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                            • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                            • memset.MSVCRT ref: 0040265F
                                                                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                              • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                            • API String ID: 2929817778-1134094380
                                                                                                                            • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                            • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                            • GetDC.USER32 ref: 004140E3
                                                                                                                            • wcslen.MSVCRT ref: 00414123
                                                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                            • String ID: %s:$EDIT$STATIC
                                                                                                                            • API String ID: 2080319088-3046471546
                                                                                                                            • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                            • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                            • memset.MSVCRT ref: 00413292
                                                                                                                            • memset.MSVCRT ref: 004132B4
                                                                                                                            • memset.MSVCRT ref: 004132CD
                                                                                                                            • memset.MSVCRT ref: 004132E1
                                                                                                                            • memset.MSVCRT ref: 004132FB
                                                                                                                            • memset.MSVCRT ref: 00413310
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                            • memset.MSVCRT ref: 004133C0
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                            Strings
                                                                                                                            • {Unknown}, xrefs: 004132A6
                                                                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                            • API String ID: 4111938811-1819279800
                                                                                                                            • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                            • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 829165378-0
                                                                                                                            • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                            • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00404172
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                                                                            • memset.MSVCRT ref: 00404200
                                                                                                                            • memset.MSVCRT ref: 00404215
                                                                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                                                                            • memset.MSVCRT ref: 0040426E
                                                                                                                            • memset.MSVCRT ref: 004042CD
                                                                                                                            • memset.MSVCRT ref: 004042E2
                                                                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                            • API String ID: 2454223109-1580313836
                                                                                                                            • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                            • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                            • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                            • API String ID: 4054529287-3175352466
                                                                                                                            • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                            • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                            • API String ID: 667068680-2887671607
                                                                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                            • API String ID: 2000436516-3842416460
                                                                                                                            • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                            • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1043902810-0
                                                                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                            • memset.MSVCRT ref: 004085CF
                                                                                                                            • memset.MSVCRT ref: 004085F1
                                                                                                                            • memset.MSVCRT ref: 00408606
                                                                                                                            • strcmp.MSVCRT ref: 00408645
                                                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                            • memset.MSVCRT ref: 0040870E
                                                                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                            • String ID: ---
                                                                                                                            • API String ID: 3437578500-2854292027
                                                                                                                            • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                            • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                            Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                            • malloc.MSVCRT ref: 004186B7
                                                                                                                            • free.MSVCRT ref: 004186C7
                                                                                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                            • free.MSVCRT ref: 004186E0
                                                                                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                            • malloc.MSVCRT ref: 004186FE
                                                                                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                            • free.MSVCRT ref: 00418716
                                                                                                                            • free.MSVCRT ref: 0041872A
                                                                                                                            • free.MSVCRT ref: 00418749
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free$FullNamePath$malloc$Version
                                                                                                                            • String ID: |A
                                                                                                                            • API String ID: 3356672799-1717621600
                                                                                                                            • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                            • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsicmp
                                                                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                            • API String ID: 2081463915-1959339147
                                                                                                                            • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                            • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1700100422-0
                                                                                                                            • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                            • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 552707033-0
                                                                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                            • strchr.MSVCRT ref: 0040C140
                                                                                                                            • strchr.MSVCRT ref: 0040C151
                                                                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                            • memset.MSVCRT ref: 0040C17A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                            • String ID: 4$h
                                                                                                                            • API String ID: 4066021378-1856150674
                                                                                                                            • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                            • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$_snwprintf
                                                                                                                            • String ID: %%0.%df
                                                                                                                            • API String ID: 3473751417-763548558
                                                                                                                            • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                            • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                            • GetParent.USER32(?), ref: 00406136
                                                                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                            • String ID: A
                                                                                                                            • API String ID: 2892645895-3554254475
                                                                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                            • String ID: 0$6
                                                                                                                            • API String ID: 4066108131-3849865405
                                                                                                                            • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                            • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004082EF
                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                            • memset.MSVCRT ref: 00408362
                                                                                                                            • memset.MSVCRT ref: 00408377
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$ByteCharMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 290601579-0
                                                                                                                            • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                            • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040A47B
                                                                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                            • String ID: %s (%s)$YV@
                                                                                                                            • API String ID: 3979103747-598926743
                                                                                                                            • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                            • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                            • API String ID: 2780580303-317687271
                                                                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                            • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                            • String ID: Unknown Error$netmsg.dll
                                                                                                                            • API String ID: 2767993716-572158859
                                                                                                                            • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                            • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • out of memory, xrefs: 0042F865
                                                                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                            • database is already attached, xrefs: 0042F721
                                                                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpymemset
                                                                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                            • API String ID: 1297977491-2001300268
                                                                                                                            • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                            • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                            Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                            • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                            • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                            • free.MSVCRT ref: 004185AC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2802642348-0
                                                                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                            • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                            • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                            • String ID: strings
                                                                                                                            • API String ID: 3166385802-3030018805
                                                                                                                            • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                            • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                            Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$memset
                                                                                                                            • String ID: gj
                                                                                                                            • API String ID: 438689982-4203073231
                                                                                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                            • memset.MSVCRT ref: 00405455
                                                                                                                            • memset.MSVCRT ref: 0040546C
                                                                                                                            • memset.MSVCRT ref: 00405483
                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$memcpy$ErrorLast
                                                                                                                            • String ID: 6$\
                                                                                                                            • API String ID: 404372293-1284684873
                                                                                                                            • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                            • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1331804452-0
                                                                                                                            • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                            • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                            • String ID: advapi32.dll
                                                                                                                            • API String ID: 2012295524-4050573280
                                                                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                            • <%s>, xrefs: 004100A6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$_snwprintf
                                                                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                            • API String ID: 3473751417-2880344631
                                                                                                                            • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                            • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcscat$_snwprintfmemset
                                                                                                                            • String ID: %2.2X
                                                                                                                            • API String ID: 2521778956-791839006
                                                                                                                            • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                            • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _snwprintfwcscpy
                                                                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                            • API String ID: 999028693-502967061
                                                                                                                            • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                            • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                            Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                              • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                            • memset.MSVCRT ref: 0040C439
                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4131475296-0
                                                                                                                            • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                            • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004116FF
                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                            • API String ID: 2618321458-3614832568
                                                                                                                            • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                            • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFilefreememset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2507021081-0
                                                                                                                            • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                            • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                            • malloc.MSVCRT ref: 00417524
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                            • free.MSVCRT ref: 00417544
                                                                                                                            • free.MSVCRT ref: 00417562
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4131324427-0
                                                                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                            • free.MSVCRT ref: 0041822B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PathTemp$free
                                                                                                                            • String ID: %s\etilqs_$etilqs_
                                                                                                                            • API String ID: 924794160-1420421710
                                                                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                            Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • wcscpy.MSVCRT ref: 0041477F
                                                                                                                            • wcscpy.MSVCRT ref: 0041479A
                                                                                                                            • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                            • String ID: General
                                                                                                                            • API String ID: 999786162-26480598
                                                                                                                            • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                            • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                            Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                            • _snwprintf.MSVCRT ref: 0040977D
                                                                                                                            • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastMessage_snwprintf
                                                                                                                            • String ID: Error$Error %d: %s
                                                                                                                            • API String ID: 313946961-1552265934
                                                                                                                            • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                            • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy
                                                                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                            • API String ID: 3510742995-272990098
                                                                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpymemset
                                                                                                                            • String ID: gj
                                                                                                                            • API String ID: 1297977491-4203073231
                                                                                                                            • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                            • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                            • malloc.MSVCRT ref: 004174BD
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                            • free.MSVCRT ref: 004174E4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4053608372-0
                                                                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4247780290-0
                                                                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                            • memset.MSVCRT ref: 004450CD
                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1471605966-0
                                                                                                                            • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                            • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                            Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • wcscpy.MSVCRT ref: 0044475F
                                                                                                                            • wcscat.MSVCRT ref: 0044476E
                                                                                                                            • wcscat.MSVCRT ref: 0044477F
                                                                                                                            • wcscat.MSVCRT ref: 0044478E
                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                            • String ID: \StringFileInfo\
                                                                                                                            • API String ID: 102104167-2245444037
                                                                                                                            • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                            • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004100FB
                                                                                                                            • memset.MSVCRT ref: 00410112
                                                                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                            • String ID: </%s>
                                                                                                                            • API String ID: 3400436232-259020660
                                                                                                                            • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                            • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                            Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040E770
                                                                                                                            • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSendmemset
                                                                                                                            • String ID: AE$"
                                                                                                                            • API String ID: 568519121-1989281832
                                                                                                                            • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                            • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040D58D
                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                            • String ID: caption
                                                                                                                            • API String ID: 1523050162-4135340389
                                                                                                                            • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                            • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                            • String ID: MS Sans Serif
                                                                                                                            • API String ID: 210187428-168460110
                                                                                                                            • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                            • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040560C
                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                            • String ID: *.*$dat$wand.dat
                                                                                                                            • API String ID: 2618321458-1828844352
                                                                                                                            • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                            • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 00412057
                                                                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3550944819-0
                                                                                                                            • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                            • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • free.MSVCRT ref: 0040F561
                                                                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$free
                                                                                                                            • String ID: g4@
                                                                                                                            • API String ID: 2888793982-2133833424
                                                                                                                            • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                            • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 004144E7
                                                                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                            • memset.MSVCRT ref: 0041451A
                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1127616056-0
                                                                                                                            • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                            • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                            • malloc.MSVCRT ref: 00417459
                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                                            • free.MSVCRT ref: 0041747F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2605342592-0
                                                                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                                            • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2678498856-0
                                                                                                                            • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                            • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040F673
                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                                                                            • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2754987064-0
                                                                                                                            • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                            • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                            Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memset.MSVCRT ref: 0040F6E2
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                                            • strlen.MSVCRT ref: 0040F70D
                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2754987064-0
                                                                                                                            • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                            • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 764393265-0
                                                                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                            Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$System$File$LocalSpecific
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 979780441-0
                                                                                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1386444988-0
                                                                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                            Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • wcschr.MSVCRT ref: 0040F79E
                                                                                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wcschr$memcpywcslen
                                                                                                                            • String ID: "
                                                                                                                            • API String ID: 1983396471-123907689
                                                                                                                            • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                            • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _snwprintfmemcpy
                                                                                                                            • String ID: %2.2X
                                                                                                                            • API String ID: 2789212964-323797159
                                                                                                                            • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                            • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                            Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                                            • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LongWindow
                                                                                                                            • String ID: MZ@
                                                                                                                            • API String ID: 1378638983-2978689999
                                                                                                                            • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                            • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                                            • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                            • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                            • free.MSVCRT ref: 0040B201
                                                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                            • free.MSVCRT ref: 0040B224
                                                                                                                            • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 726966127-0
                                                                                                                            • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                            • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                                                                            • free.MSVCRT ref: 0040B0FB
                                                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                            • free.MSVCRT ref: 0040B12C
                                                                                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: free$memcpy$mallocstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3669619086-0
                                                                                                                            • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                            • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                            • malloc.MSVCRT ref: 00417407
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                            • free.MSVCRT ref: 00417425
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000001.00000002.1818958312.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000001.00000002.1818958312.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_1_2_400000_17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2605342592-0
                                                                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5