Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe

Overview

General Information

Sample name:1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
Analysis ID:1544507
MD5:bdc97150dac50c3f7ac1ea9ed9cffd76
SHA1:47fd285845b588fa076d033f23823969b9c02af5
SHA256:dac8aa13562f80a9b9ee11080e7f4f4d4168cf8885b43453f1526d9778065ed8
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["akwaeze234.duckdns.org:2024:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VG9RMM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x134b8:$a1: Remcos restarted by watchdog!
                • 0x13a30:$a3: %02i:%02i:%02i:%03i
                Click to see the 35 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aab8:$a1: Remcos restarted by watchdog!
                      • 0x6b030:$a3: %02i:%02i:%02i:%03i
                      3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64b7c:$str_b2: Executing file:
                      • 0x65bfc:$str_b3: GetDirectListeningPort
                      • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65728:$str_b7: \update.vbs
                      • 0x64ba4:$str_b9: Downloaded file:
                      • 0x64b90:$str_b10: Downloading file:
                      • 0x64c34:$str_b12: Failed to upload file:
                      • 0x65bc4:$str_b13: StartForward
                      • 0x65be4:$str_b14: StopForward
                      • 0x65680:$str_b15: fso.DeleteFile "
                      • 0x65614:$str_b16: On Error Resume Next
                      • 0x656b0:$str_b17: fso.DeleteFolder "
                      • 0x64c24:$str_b18: Uploaded file:
                      • 0x64be4:$str_b19: Unable to delete:
                      • 0x65648:$str_b20: while fso.FileExists("
                      • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 25 entries

                      Sigma Signatures

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 20 37 97 2E 6D 7B C9 66 9F 8C 7F 39 39 B2 A1 B4 9F 9A 6B B3 79 1A E4 EC E1 65 9D D4 AA F5 CA 40 44 8C 68 9E F9 91 96 42 50 65 09 67 7B 56 16 98 D7 06 FC 98 40 82 DF D0 19 FE 63 FD 64 D5 4B B9 BE 3E 66 02 AB CF F3 55 6E 75 AF 78 0E A4 82 AB 03 A9 51 21 18 9F 9F 73 0F 10 F4 F0 ED 2B D8 1A C8 03 4F 3C 7E 25 45 3F C3 B0 6D EF E7 98 8E A0 36 BF 49 EB 1A 9D 0C 28 14 4C D5 F9 A6 18 B5 26 27 36 88 56 E9 41 AD 88 FD 7C 47 07 F6 6A E4 0F 34 6B BE A1 55 8B 38 FE 25 E7 AF 20 0C 81 EA A1 AE 16 2F F8 35 23 E0 1A E8 15 D2 BE 78 93 99 D6 AA 54 F9 4A 34 33 D8 96 87 50 2B 3B C7 73 17 C6 46 73 4B F7 58 9B A5 67 0E 96 46 F2 0A 78 97 DA C3 80 A2 33 4D CF DB 80 FF 27 80 B1 BB 8B 3D 8F E0 0C 4B 5F 63 CA 32 B0 D4 C5 D1 C1 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, ProcessId: 3148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-VG9RMM\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-29T14:22:05.924850+010020365941Malware Command and Control Activity Detected192.168.2.549706178.215.224.1762024TCP
                      2024-10-29T14:22:07.471809+010020365941Malware Command and Control Activity Detected192.168.2.549707178.215.224.1762024TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-29T14:22:07.471870+010028033043Unknown Traffic192.168.2.549708178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000002.4516996122.000000000073E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["akwaeze234.duckdns.org:2024:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VG9RMM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for submitted file
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeReversingLabs: Detection: 84%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516996122.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,2_2_00404423
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9bf5df2b-4

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_10006580 FindFirstFileExA,0_2_10006580
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,2_2_0040AE51
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407EF8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407898
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 178.215.224.176:2024
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49706 -> 178.215.224.176:2024
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: akwaeze234.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: akwaeze234.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49706 -> 178.215.224.176:2024
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49708 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517618981.0000000003770000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000003.2135831775.0000000000B0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000003.2135831775.0000000000B0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517457287.0000000003680000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517457287.0000000003680000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: akwaeze234.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2138371210.000000000077F000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2088774186.0000000000781000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2116526072.0000000000771000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2088774186.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517099762.0000000000781000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2088859660.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2112960649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2138772230.0000000000780000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2112891670.0000000000775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119402270.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119474238.0000000000A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119402270.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119474238.0000000000A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517618981.0000000003770000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517618981.0000000003770000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: bhv153A.tmp.2.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136298252.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhv153A.tmp.2.drString found in binary or memory: https://www.office.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_0040987A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,2_2_004098E2
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_00406DFC
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00406E9F
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,4_2_004068B5
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_004072B5
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                      Source: Yara matchFile source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516996122.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_0041812A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00401806 NtdllDefWindowProc_W,2_2_00401806
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004018C0 NtdllDefWindowProc_W,2_2_004018C0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004016FD NtdllDefWindowProc_A,3_2_004016FD
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004017B7 NtdllDefWindowProc_A,3_2_004017B7
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00402CAC NtdllDefWindowProc_A,4_2_00402CAC
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00402D66 NtdllDefWindowProc_A,4_2_00402D66
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_100171940_2_10017194
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_1000B5C10_2_1000B5C1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044B0402_2_0044B040
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0043610D2_2_0043610D
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004473102_2_00447310
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044A4902_2_0044A490
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040755A2_2_0040755A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0043C5602_2_0043C560
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044B6102_2_0044B610
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044D6C02_2_0044D6C0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004476F02_2_004476F0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044B8702_2_0044B870
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044081D2_2_0044081D
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004149572_2_00414957
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004079EE2_2_004079EE
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00407AEB2_2_00407AEB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044AA802_2_0044AA80
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00412AA92_2_00412AA9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00404B742_2_00404B74
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00404B032_2_00404B03
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044BBD82_2_0044BBD8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00404BE52_2_00404BE5
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00404C762_2_00404C76
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00415CFE2_2_00415CFE
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00416D722_2_00416D72
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00446D302_2_00446D30
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00446D8B2_2_00446D8B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00406E8F2_2_00406E8F
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004050383_2_00405038
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0041208C3_2_0041208C
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004050A93_2_004050A9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0040511A3_2_0040511A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0043C13A3_2_0043C13A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004051AB3_2_004051AB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004493003_2_00449300
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0040D3223_2_0040D322
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0044A4F03_2_0044A4F0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0043A5AB3_2_0043A5AB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004136313_2_00413631
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004466903_2_00446690
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0044A7303_2_0044A730
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004398D83_2_004398D8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_004498E03_2_004498E0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0044A8863_2_0044A886
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0043DA093_2_0043DA09
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00438D5E3_2_00438D5E
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00449ED03_2_00449ED0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0041FE833_2_0041FE83
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00430F543_2_00430F54
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004050C24_2_004050C2
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004014AB4_2_004014AB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004051334_2_00405133
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004051A44_2_004051A4
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004012464_2_00401246
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_0040CA464_2_0040CA46
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004052354_2_00405235
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004032C84_2_004032C8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004222D94_2_004222D9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004016894_2_00401689
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00402F604_2_00402F60
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 004169A7 appears 87 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 004165FF appears 35 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00413025 appears 79 times
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: String function: 00416760 appears 69 times
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517618981.000000000378B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2138520174.00000000007B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2116492650.0000000000807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2116526072.0000000000771000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2140192863.0000000000807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2138261361.0000000000807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2139042258.00000000007DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeBinary or memory string: OriginalFileName vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeBinary or memory string: OriginalFilename vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@3/2
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,2_2_004182CE
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,4_2_00410DE1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,2_2_00418758
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VG9RMM
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bhv153A.tmpJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Rmc-VG9RMM0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Rmc-VG9RMM0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: (TG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: tMG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: `SG0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: User0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: del0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: del0_2_0040EA00
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCommand line argument: del0_2_0040EA00
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000003.00000002.2119201596.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517457287.0000000003680000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136926222.00000000022E4000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000003.2127964149.00000000022E2000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000003.2135463611.00000000022E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeReversingLabs: Detection: 84%
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe "C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe"
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\dxjvlgierdcqthqe"
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\gzpolysyeludwneioqn"
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qtcgmqdzstmiybbmfbayqv"
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\dxjvlgierdcqthqe"Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\gzpolysyeludwneioqn"Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qtcgmqdzstmiybbmfbayqv"Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.cfgJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeUnpacked PE file: 2.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeUnpacked PE file: 3.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeUnpacked PE file: 4.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_10002806 push ecx; ret 0_2_10002819
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044693D push ecx; ret 2_2_0044694D
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044DB70 push eax; ret 2_2_0044DB84
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0044DB70 push eax; ret 2_2_0044DBAC
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00451D54 push eax; ret 2_2_00451D61
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0044B090 push eax; ret 3_2_0044B0A4
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_0044B090 push eax; ret 3_2_0044B0CC
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00451D34 push eax; ret 3_2_00451D41
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00444E71 push ecx; ret 3_2_00444E81
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00414060 push eax; ret 4_2_00414074
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00414060 push eax; ret 4_2_0041409C
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00414039 push ecx; ret 4_2_00414049
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_004164EB push 0000006Ah; retf 4_2_004165C4
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00416553 push 0000006Ah; retf 4_2_004165C4
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00416555 push 0000006Ah; retf 4_2_004165C4
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeWindow / User API: threadDelayed 4514Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeWindow / User API: threadDelayed 5475Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53394
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeAPI coverage: 10.0 %
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe TID: 4424Thread sleep count: 4514 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe TID: 4424Thread sleep time: -13542000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe TID: 4424Thread sleep count: 5475 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe TID: 4424Thread sleep time: -16425000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_10006580 FindFirstFileExA,0_2_10006580
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,2_2_0040AE51
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407EF8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407898
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_00418981 memset,GetSystemInfo,2_2_00418981
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2088774186.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2112960649.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2138520174.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517099762.00000000007B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2088774186.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2112960649.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000003.2138520174.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517099762.00000000007B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
                      Source: bhv153A.tmp.2.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-55103
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]0_2_10004AB4
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,0_2_00411D39
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100060E2
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002639
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002B1C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_0041812A
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\dxjvlgierdcqthqe"Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\gzpolysyeludwneioqn"Jump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeProcess created: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qtcgmqdzstmiybbmfbayqv"Jump to behavior
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517099762.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517099762.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager+8
                      Source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517099762.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: 2_2_0041739B GetVersionExW,2_2_0041739B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516996122.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: \key3.db0_2_0040BB6B
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: ESMTPPassword3_2_004033F0
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword3_2_00402DB3
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword3_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VG9RMMJump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516996122.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 5352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe PID: 4464, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts13
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      Software Packing                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      DLL Side-Loading                      		3
                      Credentials In Files                      		3
                      File and Directory Discovery                      		Distributed Component Object Model111
                      Input Capture                      		1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                      Process Injection                      		1
                      Bypass User Account Control                      		LSA Secrets38
                      System Information Discovery                      		SSH3
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Security Software Discovery                      		VNCGUI Input Capture22
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem4
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544507 Sample: 1730208009cbbc5185357f6c127... Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 18 akwaeze234.duckdns.org 2->18 20 198.187.3.20.in-addr.arpa 2->20 22 geoplugin.net 2->22 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 36 9 other signatures 2->36 7 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe 3 13 2->7         started        signatures3 34 Uses dynamic DNS services 18->34 process4 dnsIp5 24 akwaeze234.duckdns.org 178.215.224.176, 2024, 49706, 49707 LVLT-10753US Germany 7->24 26 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 7->26 38 Contains functionality to bypass UAC (CMSTPLUA) 7->38 40 Detected unpacking (changes PE section rights) 7->40 42 Detected Remcos RAT 7->42 44 8 other signatures 7->44 11 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe 1 7->11         started        14 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe 1 7->14         started        16 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe 2 7->16         started        signatures6 process7 signatures8 46 Tries to steal Instant Messenger accounts or passwords 11->46 48 Tries to harvest and steal browser information (history, passwords, etc) 11->48 50 Tries to steal Mail credentials (via file / registry access) 14->50

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://www.imvu.comr0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe
                      http://www.imvu.com0%URL Reputationsafe
                      https://login.yahoo.com/config/login0%URL Reputationsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      http://www.ebuddy.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown
                        akwaeze234.duckdns.org
                        		178.215.224.176
                        		truetrue
                          		unknown
                          198.187.3.20.in-addr.arpa
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gpfalse
                            • URL Reputation: safe
                            		unknown
                            akwaeze234.duckdns.orgtrue
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Pbhv153A.tmp.2.drfalse
                                		unknown
                                https://www.google.com1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		unknown
                                  https://www.office.com/bhv153A.tmp.2.drfalse
                                    		unknown
                                    http://www.imvu.comr1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517618981.0000000003770000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhv153A.tmp.2.drfalse
                                      		unknown
                                      https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhv153A.tmp.2.drfalse
                                        		unknown
                                        https://aefd.nelreports.net/api/report?cat=bingaotbhv153A.tmp.2.drfalse
                                          		unknown
                                          http://geoplugin.net/json.gp/C1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exefalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://maps.windows.com/windows-app-web-linkbhv153A.tmp.2.drfalse
                                            		unknown
                                            https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhv153A.tmp.2.drfalse
                                              		unknown
                                              http://www.imvu.com1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119402270.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119474238.0000000000A0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://aefd.nelreports.net/api/report?cat=bingrmsbhv153A.tmp.2.drfalse
                                                		unknown
                                                https://www.google.com/accounts/servicelogin1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exefalse
                                                  		unknown
                                                  https://login.yahoo.com/config/login1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exefalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.nirsoft.net1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000002.00000002.2136298252.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aefd.nelreports.net/api/report?cat=bingaotakbhv153A.tmp.2.drfalse
                                                      		unknown
                                                      https://deff.nelreports.net/api/report?cat=msnbhv153A.tmp.2.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.nirsoft.net/1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.imvu.comata1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119402270.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000003.2119474238.0000000000A0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000000.00000002.4517618981.0000000003770000.00000040.10000000.00040000.00000000.sdmp, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.ebuddy.com1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, 00000004.00000002.2120026640.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            178.215.224.176
                                                            		akwaeze234.duckdns.orgGermany
                                                            		10753LVLT-10753UStrue
                                                            178.237.33.50
                                                            		geoplugin.netNetherlands
                                                            		8455ATOM86-ASATOM86NLfalse

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1544507
                                                            Start date and time:2024-10-29 14:21:09 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 2s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:7
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                            Detection:MAL
                                                            Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@3/2
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 99%
                                                            • Number of executed functions: 137
                                                            • Number of non-executed functions: 300
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            • VT rate limit hit for: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            09:22:39API Interceptor4874990x Sleep call for process: 1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            178.215.224.176oodforme.docGet hashmaliciousRemcosBrowse
                                                              172966320624e13c69130942cdd5d6acfaaa0a3c37caf1b0782206d6657ac60035e08c695d630.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                  178.237.33.501730205125e17c77fd100fac247e845e0d35eb80fd3ed2b798c588796b720ffad142a2b233827.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • geoplugin.net/json.gp
                                                                  odthings.docGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  withbest.docGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  43655- Urgent - Request for Quotation.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Supplier Purchase Order - PO0002491.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • geoplugin.net/json.gp
                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  geoplugin.net1730205125e17c77fd100fac247e845e0d35eb80fd3ed2b798c588796b720ffad142a2b233827.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  odthings.docGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  withbest.docGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  43655- Urgent - Request for Quotation.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Supplier Purchase Order - PO0002491.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  LVLT-10753USMarkus-Dokumenten-Kaufvertrag.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 45.88.88.33
                                                                  file.exeGet hashmaliciousDarkVision RatBrowse
                                                                  • 178.215.224.241
                                                                  nabspc.elfGet hashmaliciousUnknownBrowse
                                                                  • 217.22.7.30
                                                                  splsh4.elfGet hashmaliciousUnknownBrowse
                                                                  • 168.215.79.153
                                                                  la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 148.57.98.32
                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                  • 212.87.197.98
                                                                  w18Ys8qKuX.elfGet hashmaliciousUnknownBrowse
                                                                  • 168.215.50.172
                                                                  keldRUiaay.elfGet hashmaliciousMiraiBrowse
                                                                  • 147.207.101.215
                                                                  ai3eCONS9Q.elfGet hashmaliciousMiraiBrowse
                                                                  • 94.154.174.114
                                                                  i686.elfGet hashmaliciousUnknownBrowse
                                                                  • 178.215.238.10
                                                                  ATOM86-ASATOM86NL1730205125e17c77fd100fac247e845e0d35eb80fd3ed2b798c588796b720ffad142a2b233827.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  odthings.docGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  withbest.docGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  43655- Urgent - Request for Quotation.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Supplier Purchase Order - PO0002491.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):957
                                                                  Entropy (8bit):5.0066301715842645
                                                                  Encrypted:false
                                                                  SSDEEP:24:qIdVauKyGX85jHf3SvXhNlT3/7YvfbYro:1ba0GX85mvhjTkvfEro
                                                                  MD5:2E6AA7D5FAF1BDB7D1CC5D404F07E680
                                                                  SHA1:C83CFFE66D1E2D5376645D93C76CD9ED6AE50840
                                                                  SHA-256:DB7B707B8921A5BA4AEAA028A2862279D620D289CAA3988D2BB5E7FDA6ED2F6E
                                                                  SHA-512:7F8F33F6DA9D547E6ADA5E43A4EDAD25E0D0CCD936975423E4F0AADC4ECFE9EDBA5441F7964E4FDE0813251C338C32E11E82135F055D4B232678FE5420FA910C
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:{. "geoplugin_request":"173.254.250.72",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                  C:\Users\user\AppData\Local\Temp\bhv153A.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd579f4ce, page size 32768, DirtyShutdown, Windows version 10.0
                                                                  Category:dropped
                                                                  Size (bytes):17301504
                                                                  Entropy (8bit):0.801202043687675
                                                                  Encrypted:false
                                                                  SSDEEP:6144:6dfjZb5aXEY2waXEY24URl0e4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:4Vq4e81ySaKKjLrONseWe
                                                                  MD5:177AE252C4126EA44E23AEB77D50E643
                                                                  SHA1:D377E4D3541B471E740CC1E98A7806A3FF34D969
                                                                  SHA-256:15EE24F96DEBC7EFBB3B07AEA8B9E1CA2BF12903E647E07CC2B137831D4C3810
                                                                  SHA-512:081B4B6F332EAEE8056A95592E80A423348FB85AE9D188B3CC171A534C129BAEB6ADF9D8DD980D8974C8A29FFFB5FF315AE5D2C62EFF9C39C8D10783DA453156
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:.y..... .......;!......E{ow("...{........................@.....2....{..2....|}.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]...................................=2....|}.................k..<2....|}..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\dxjvlgierdcqthqe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2
                                                                  Entropy (8bit):1.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:Qn:Qn
                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):6.600301741887622
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  File size:494'592 bytes
                                                                  MD5:bdc97150dac50c3f7ac1ea9ed9cffd76
                                                                  SHA1:47fd285845b588fa076d033f23823969b9c02af5
                                                                  SHA256:dac8aa13562f80a9b9ee11080e7f4f4d4168cf8885b43453f1526d9778065ed8
                                                                  SHA512:2c6b0587a1407c89e45373295809db7cdaaca3abf3ce435b792b264fd36030eed7fa01fd651564f2351a1b015623aa0f731b0e29bddfbaaad43c32d18bcb2a92
                                                                  SSDEEP:6144:G5zY+w1LqZBCxKedv//NEUn+N5hkf/0TE7RvIZ/jbsAORZzAXMcruA4:G5k+Yqaxrh3Nln+N52fIA4jbsvZz9A4
                                                                  TLSH:86B49E01BAD2C072D57514300D3AF776EAB8BD201836497B73DA1D5BFE31190A72AAB7
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                                                  File Icon

                                                                  Icon Hash:95694d05214c1b33

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x434a80
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x6710C0B1 [Thu Oct 17 07:45:53 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:1389569a3a39186f3eb453b501cfe688

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F0DF4CBA96Bh
                                                                  jmp 00007F0DF4CBA3B3h
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  sub esp, 00000324h
                                                                  push ebx
                                                                  push esi
                                                                  push 00000017h
                                                                  call 00007F0DF4CDCC03h
                                                                  test eax, eax
                                                                  je 00007F0DF4CBA527h
                                                                  mov ecx, dword ptr [ebp+08h]
                                                                  int 29h
                                                                  xor esi, esi
                                                                  lea eax, dword ptr [ebp-00000324h]
                                                                  push 000002CCh
                                                                  push esi
                                                                  push eax
                                                                  mov dword ptr [00471D14h], esi
                                                                  call 00007F0DF4CBC976h
                                                                  add esp, 0Ch
                                                                  mov dword ptr [ebp-00000274h], eax
                                                                  mov dword ptr [ebp-00000278h], ecx
                                                                  mov dword ptr [ebp-0000027Ch], edx
                                                                  mov dword ptr [ebp-00000280h], ebx
                                                                  mov dword ptr [ebp-00000284h], esi
                                                                  mov dword ptr [ebp-00000288h], edi
                                                                  mov word ptr [ebp-0000025Ch], ss
                                                                  mov word ptr [ebp-00000268h], cs
                                                                  mov word ptr [ebp-0000028Ch], ds
                                                                  mov word ptr [ebp-00000290h], es
                                                                  mov word ptr [ebp-00000294h], fs
                                                                  mov word ptr [ebp-00000298h], gs
                                                                  pushfd
                                                                  pop dword ptr [ebp-00000264h]
                                                                  mov eax, dword ptr [ebp+04h]
                                                                  mov dword ptr [ebp-0000026Ch], eax
                                                                  lea eax, dword ptr [ebp+04h]
                                                                  mov dword ptr [ebp-00000260h], eax
                                                                  mov dword ptr [ebp-00000324h], 00010001h
                                                                  mov eax, dword ptr [eax-04h]
                                                                  push 00000050h
                                                                  mov dword ptr [ebp-00000270h], eax
                                                                  lea eax, dword ptr [ebp-58h]
                                                                  push esi
                                                                  push eax
                                                                  call 00007F0DF4CBC8EDh

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [C++] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b00.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x571f50x5720042490688bcf3aaa371282a7454b99e23False0.5716155173959828data6.625772280516175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x590000x179dc0x17a008c19f58f5a4e5f2d5359d54234473252False0.5008370535714286data5.862025333737917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x710000x5d540xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x790000x4b000x4c0036d6d18c895217b29fddf562347b3ca2False0.27950246710526316data3.983059348881004IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x7e0000x3bc80x3c0071caad037f5f2070293ebf9ebb49e4e2False0.764453125data6.724383647387111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                                  RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                                  RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                                  RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                                  RT_RCDATA0x7d5cc0x4f2zlib compressed data1.0086887835703002
                                                                  RT_GROUP_ICON0x7dac00x3edataEnglishUnited States0.8064516129032258

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                                                  USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                                                  GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                                                  ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                                                  SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                                  ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                                                  SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                                                  WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                                                  WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                                                  urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                                  gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                                                  WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-10-29T14:22:05.924850+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549706178.215.224.1762024TCP
                                                                  2024-10-29T14:22:07.471809+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549707178.215.224.1762024TCP
                                                                  2024-10-29T14:22:07.471870+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549708178.237.33.5080TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 29, 2024 14:22:05.044641018 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:05.051826954 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:05.051934958 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:05.057096958 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:05.064668894 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:05.869462013 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:05.924849987 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:05.977793932 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:05.981456995 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:05.986911058 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:05.986991882 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:05.992417097 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.289016008 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.317054987 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:06.322547913 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.400749922 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.456147909 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:06.557842016 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.562191010 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:06.567887068 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.567996025 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:06.571665049 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:06.577023029 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:06.608237028 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:22:06.612351894 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:06.613733053 CET8049708178.237.33.50192.168.2.5
                                                                  Oct 29, 2024 14:22:06.613825083 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:22:06.613936901 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:22:06.619386911 CET8049708178.237.33.50192.168.2.5
                                                                  Oct 29, 2024 14:22:07.426887035 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.471743107 CET8049708178.237.33.50192.168.2.5
                                                                  Oct 29, 2024 14:22:07.471808910 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.471869946 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:22:07.493208885 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.498758078 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.548302889 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.552896976 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.558289051 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.568578005 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.574558020 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.574630022 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.580810070 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886080027 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886115074 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886132956 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886151075 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886243105 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.886303902 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.886385918 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886403084 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886419058 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886435032 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886451006 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886457920 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.886480093 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.886965036 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.886989117 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.887005091 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.887018919 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.887047052 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:07.891799927 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:07.940466881 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.004441977 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004489899 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004503012 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004515886 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004528999 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004547119 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.004584074 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.004815102 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004827023 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004838943 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004853010 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004858971 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.004865885 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.004869938 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.004901886 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.005482912 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.005556107 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.005594969 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.121687889 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.121738911 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.121753931 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.121787071 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.121798992 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.121860027 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.121926069 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.122133970 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.122144938 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.122158051 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.122180939 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.122196913 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.122209072 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.122210979 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.122263908 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.125013113 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.125026941 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.125037909 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.125077009 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.125255108 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.125304937 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.135890961 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.135904074 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.135986090 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.239552021 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.239592075 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.239604950 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.239619017 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.239640951 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.239706039 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.239762068 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.239970922 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.239984035 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.240005016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.240015030 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.240015984 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.240030050 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.240050077 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.240073919 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.240940094 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.241039038 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.241085052 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.253427982 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.253441095 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.253453016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.253546953 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.357589960 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.357609987 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.357620001 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.357631922 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.357645035 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.357742071 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.357903957 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.357966900 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.358052015 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.358144999 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.358156919 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.358167887 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.358180046 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.358184099 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.358205080 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.358995914 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.359034061 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.371028900 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.371047020 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.371058941 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.371072054 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.371098995 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.371146917 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.474844933 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.474858999 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.474879026 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.474890947 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.474904060 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.474940062 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.474972963 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.475321054 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475332022 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475362062 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.475589037 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475600958 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475613117 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475624084 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.475661993 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.475960970 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475972891 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.475984097 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.476021051 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.488392115 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488409996 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488421917 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488434076 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488445044 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488462925 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.488507032 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.488775015 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488789082 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.488816023 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.592391014 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592416048 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592427969 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592441082 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592538118 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.592658997 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592679024 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592691898 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592703104 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592715979 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.592730045 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.592763901 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.593569994 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.593614101 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.600946903 CET8049708178.237.33.50192.168.2.5
                                                                  Oct 29, 2024 14:22:08.601020098 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:22:08.605711937 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.605768919 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.605782032 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.605794907 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.605808973 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.605915070 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.649291039 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.649312973 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.649328947 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.649415970 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.649532080 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.709768057 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.709793091 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.709806919 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.709824085 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.709836006 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.709870100 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.709912062 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.710093021 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.710103035 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.710129976 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.710304022 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.710318089 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.710330963 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.710342884 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.710347891 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.710374117 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.723261118 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723279953 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723293066 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723304987 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723310947 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.723332882 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.723447084 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723459005 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723470926 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.723493099 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.723512888 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.766607046 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.766634941 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.766644955 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.766659021 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.766680956 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.766707897 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.827058077 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827081919 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827107906 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827120066 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827131033 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827157974 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.827182055 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.827497005 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827526093 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827537060 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827719927 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.827943087 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827956915 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.827967882 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.828017950 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.840874910 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.840925932 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.840938091 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.840939045 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.840960026 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.840972900 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.840985060 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.840992928 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.840998888 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.841027975 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.841038942 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.841768980 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.887387037 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.887408018 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.887420893 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.887520075 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.887520075 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.944472075 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.944489956 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.944504023 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.944540977 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.944648981 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.944660902 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.944672108 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.944681883 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.944710970 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.945096016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.945106983 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.945118904 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.945161104 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.945173025 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.945199013 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.945693016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.945797920 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.945831060 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.958203077 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958219051 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958339930 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958352089 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958350897 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.958364964 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958378077 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958389997 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.958412886 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.958441019 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.959109068 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:08.959145069 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:08.959186077 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.003015995 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.003832102 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.003849030 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.003860950 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.003916979 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.049874067 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.062247992 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062267065 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062278032 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062289000 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062300920 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062355042 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.062403917 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.062570095 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062582016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062593937 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062606096 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.062633991 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.062655926 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062668085 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.062709093 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.075551987 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.075576067 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.075589895 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.075635910 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.075747013 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.075759888 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.075771093 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.075783014 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.075800896 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.076162100 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.076172113 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.076199055 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.076385975 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.076396942 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.076442957 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.117382050 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.117399931 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.117479086 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.119018078 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.119029045 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.119055033 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.119065046 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.119077921 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.119117975 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.179326057 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.179404974 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.179415941 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.179449081 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.180021048 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180037022 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180048943 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180062056 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180064917 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.180088997 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.180105925 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180119038 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180140972 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.180483103 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180495024 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180505991 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.180515051 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.180541039 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.193348885 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193367004 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193382025 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193401098 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.193671942 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193685055 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193703890 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.193798065 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193814993 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193831921 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.193834066 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.193865061 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.236430883 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.236447096 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.236459017 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.236538887 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.282186031 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.282205105 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.282218933 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.282296896 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.282342911 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.297221899 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297240973 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297254086 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297327995 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297344923 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.297386885 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.297480106 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297547102 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297578096 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297578096 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.297593117 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297624111 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.297627926 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297640085 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.297669888 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.311044931 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311060905 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311074972 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311095953 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.311247110 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311259985 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311285973 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.311341047 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311352968 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311377048 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.311425924 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311439037 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.311456919 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.312374115 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.312416077 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.353790998 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.353823900 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.353838921 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.353879929 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.393610001 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.399683952 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.399705887 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.399720907 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.399770021 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.414684057 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.414700985 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.414714098 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.414731026 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.414752960 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.415046930 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.415059090 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.415071011 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.415087938 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.415220976 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.415231943 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.415241957 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.415261984 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.415282965 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.428441048 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428463936 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428477049 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428488016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428503036 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428519011 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.428550005 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.428812027 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428824902 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428837061 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428848028 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.428869963 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428879976 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.428883076 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.428924084 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.429649115 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.429662943 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.429676056 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.429696083 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.471327066 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.471378088 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.471391916 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.471424103 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.471452951 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.517076969 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.517101049 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.517146111 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.517157078 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.517271042 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.532051086 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532069921 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532089949 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532099962 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532157898 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.532393932 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532407045 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532418966 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.532421112 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532438993 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.532685041 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532699108 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532710075 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.532721043 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.532743931 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.546056986 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546080112 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546093941 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546107054 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546120882 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546139956 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.546181917 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.546288967 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546303034 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546319008 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546338081 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.546360016 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546361923 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.546375036 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.546422005 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.547127962 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.547141075 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.547152996 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.547178984 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.588814020 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.588835955 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.588850021 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.588896990 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.588939905 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.634885073 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.634923935 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.634937048 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.635066986 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.649558067 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649583101 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649595976 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649657011 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649777889 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.649785995 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649797916 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649840117 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.649976969 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.649987936 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.650036097 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.650199890 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.650212049 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.650223970 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.650255919 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.650284052 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.664397955 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664422989 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664434910 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664448977 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664463043 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664485931 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.664518118 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.664834976 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664870024 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664882898 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664894104 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.664927959 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664941072 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.664946079 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.664985895 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.665664911 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.665680885 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.665693998 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.665705919 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.665718079 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.665730000 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.665774107 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.706265926 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.706286907 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.706309080 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.706419945 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.753664017 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.753892899 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.753990889 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.767419100 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767437935 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767452002 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767465115 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767520905 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.767555952 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.767591953 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767605066 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767617941 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.767651081 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.768462896 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.768475056 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.768517971 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.782958031 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.782975912 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.782989025 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783077002 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783082008 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.783088923 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783103943 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783139944 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.783215046 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783229113 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783269882 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.783828020 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783876896 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.783971071 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783982992 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.783994913 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.784029007 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.784478903 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.784492970 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.784531116 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.784658909 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.784674883 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.784687042 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.784698009 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.784727097 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.785402060 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.824060917 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.824083090 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.824096918 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.824213982 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.885051966 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885071039 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885090113 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885101080 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885114908 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885152102 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.885206938 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.885492086 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885504961 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885548115 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.885555029 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.885590076 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.899504900 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899523020 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899542093 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899554014 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899564981 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899574995 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.899588108 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.899843931 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899856091 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899868965 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.899904013 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.899920940 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.900332928 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900345087 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900356054 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900387049 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.900595903 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900607109 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900619984 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900645971 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.900659084 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.900676012 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900690079 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.900736094 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.901406050 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.901420116 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.901432991 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.901460886 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.901556969 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.901567936 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.901609898 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.941474915 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.941514015 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.941526890 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:09.941600084 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.941611052 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:09.941648960 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.009169102 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.009197950 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.009210110 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.009362936 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.009903908 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.009916067 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.009960890 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.016905069 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.016952991 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.016954899 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.016966105 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017009020 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.017117977 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017129898 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017141104 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017153978 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.017203093 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017214060 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017236948 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.017782927 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017818928 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.017823935 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017836094 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017859936 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.017868996 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.018289089 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.018300056 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.018311977 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.018326044 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.018357992 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.018371105 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.018383026 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.018394947 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.018415928 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.019155979 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.019166946 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.019180059 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.019196033 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.019223928 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.020040035 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.020051956 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.020090103 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.059289932 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.059303999 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.059322119 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.059333086 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.059442043 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.059474945 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.126595020 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.126611948 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.126624107 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.126765013 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.126926899 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.126940966 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.126952887 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.126980066 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.127027035 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.135107994 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135128975 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135143042 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135157108 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135169983 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135183096 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135211945 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.135211945 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.135260105 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.135483027 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135508060 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135523081 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135556936 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.135612011 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135624886 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135637999 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.135668993 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.135704041 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.136375904 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.136389017 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.136409998 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.136423111 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.136436939 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.136450052 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.136452913 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.136495113 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.136495113 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.137218952 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.137275934 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.137307882 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.137320995 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.137329102 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.137334108 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.137372971 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.176892996 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.176906109 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.176918030 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.176932096 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.177006006 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.177052975 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:10.244225979 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.244321108 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:10.244402885 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:12.419579029 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:12.425029039 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425046921 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425066948 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425076962 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425086975 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425091028 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:12.425127029 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:12.425188065 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425198078 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425242901 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425252914 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.425297976 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430516005 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430526972 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430536985 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430557013 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430567026 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430607080 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.430617094 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.520903111 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:12.526752949 CET202449707178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:12.526815891 CET497072024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:35.744273901 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:22:35.746073961 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:22:35.753293037 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:23:05.864861965 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:23:05.866976023 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:23:05.872612000 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:23:36.076297998 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:23:36.077877045 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:23:36.083158016 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:23:56.588475943 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:23:56.893659115 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:23:57.503027916 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:23:58.706150055 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:24:01.112411022 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:24:05.924948931 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:24:06.134556055 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:24:06.135991096 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:24:06.141386986 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:24:15.534342051 CET4970880192.168.2.5178.237.33.50
                                                                  Oct 29, 2024 14:24:36.297226906 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:24:36.299598932 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:24:36.305075884 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:25:06.460510969 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:25:06.462522030 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:25:06.467860937 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:25:36.721324921 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:25:36.725193977 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:25:36.730545044 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:26:06.651484013 CET202449706178.215.224.176192.168.2.5
                                                                  Oct 29, 2024 14:26:06.653615952 CET497062024192.168.2.5178.215.224.176
                                                                  Oct 29, 2024 14:26:06.659113884 CET202449706178.215.224.176192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 29, 2024 14:22:04.427752018 CET6520853192.168.2.51.1.1.1
                                                                  Oct 29, 2024 14:22:05.041270018 CET53652081.1.1.1192.168.2.5
                                                                  Oct 29, 2024 14:22:06.592307091 CET5448253192.168.2.51.1.1.1
                                                                  Oct 29, 2024 14:22:06.604773045 CET53544821.1.1.1192.168.2.5
                                                                  Oct 29, 2024 14:22:38.010564089 CET5351342162.159.36.2192.168.2.5
                                                                  Oct 29, 2024 14:22:38.623785973 CET6017853192.168.2.51.1.1.1
                                                                  Oct 29, 2024 14:22:38.633184910 CET53601781.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Oct 29, 2024 14:22:04.427752018 CET192.168.2.51.1.1.10xb443Standard query (0)akwaeze234.duckdns.orgA (IP address)IN (0x0001)false
                                                                  Oct 29, 2024 14:22:06.592307091 CET192.168.2.51.1.1.10x9c46Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                  Oct 29, 2024 14:22:38.623785973 CET192.168.2.51.1.1.10x6ad8Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Oct 29, 2024 14:22:05.041270018 CET1.1.1.1192.168.2.50xb443No error (0)akwaeze234.duckdns.org178.215.224.176A (IP address)IN (0x0001)false
                                                                  Oct 29, 2024 14:22:06.604773045 CET1.1.1.1192.168.2.50x9c46No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                  Oct 29, 2024 14:22:38.633184910 CET1.1.1.1192.168.2.50x6ad8Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • geoplugin.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549708178.237.33.50803148C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 29, 2024 14:22:06.613936901 CET71OUTGET /json.gp HTTP/1.1
                                                                  Host: geoplugin.net
                                                                  Cache-Control: no-cache
                                                                  Oct 29, 2024 14:22:07.471743107 CET1165INHTTP/1.1 200 OK
                                                                  date: Tue, 29 Oct 2024 13:22:07 GMT
                                                                  server: Apache
                                                                  content-length: 957
                                                                  content-type: application/json; charset=utf-8
                                                                  cache-control: public, max-age=300
                                                                  access-control-allow-origin: *
                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                  Data Ascii: { "geoplugin_request":"173.254.250.72", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:09:22:03
                                                                  Start date:29/10/2024
                                                                  Path:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe"
                                                                  Imagebase:0x400000
                                                                  File size:494'592 bytes
                                                                  MD5 hash:BDC97150DAC50C3F7AC1EA9ED9CFFD76
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4516996122.0000000000763000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4516996122.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2057706211.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:2
                                                                  Start time:09:22:09
                                                                  Start date:29/10/2024
                                                                  Path:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\dxjvlgierdcqthqe"
                                                                  Imagebase:0x400000
                                                                  File size:494'592 bytes
                                                                  MD5 hash:BDC97150DAC50C3F7AC1EA9ED9CFFD76
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.2116701859.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:09:22:09
                                                                  Start date:29/10/2024
                                                                  Path:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\gzpolysyeludwneioqn"
                                                                  Imagebase:0x400000
                                                                  File size:494'592 bytes
                                                                  MD5 hash:BDC97150DAC50C3F7AC1EA9ED9CFFD76
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.2116888046.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:09:22:09
                                                                  Start date:29/10/2024
                                                                  Path:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qtcgmqdzstmiybbmfbayqv"
                                                                  Imagebase:0x400000
                                                                  File size:494'592 bytes
                                                                  MD5 hash:BDC97150DAC50C3F7AC1EA9ED9CFFD76
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.2117329180.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:4.8%
                                                                    Dynamic/Decrypted Code Coverage:4.2%
                                                                    Signature Coverage:19.7%
                                                                    Total number of Nodes:1700
                                                                    Total number of Limit Nodes:55
                                                                    execution_graph 53033 415d41 53048 41b411 53033->53048 53035 415d4a 53059 4020f6 53035->53059 53040 4170c4 53083 401e8d 53040->53083 53044 401fd8 11 API calls 53045 4170d9 53044->53045 53046 401fd8 11 API calls 53045->53046 53047 4170e5 53046->53047 53089 4020df 53048->53089 53053 41b456 InternetReadFile 53057 41b479 53053->53057 53054 41b4a6 InternetCloseHandle InternetCloseHandle 53056 41b4b8 53054->53056 53056->53035 53057->53053 53057->53054 53058 401fd8 11 API calls 53057->53058 53100 4020b7 53057->53100 53058->53057 53060 40210c 53059->53060 53061 4023ce 11 API calls 53060->53061 53062 402126 53061->53062 53063 402569 28 API calls 53062->53063 53064 402134 53063->53064 53065 404aa1 53064->53065 53066 404ab4 53065->53066 53167 40520c 53066->53167 53068 404ac9 ctype 53069 404b40 WaitForSingleObject 53068->53069 53070 404b20 53068->53070 53072 404b56 53069->53072 53071 404b32 send 53070->53071 53073 404b7b 53071->53073 53173 4210cb 54 API calls 53072->53173 53075 401fd8 11 API calls 53073->53075 53077 404b83 53075->53077 53076 404b69 SetEvent 53076->53073 53078 401fd8 11 API calls 53077->53078 53079 404b8b 53078->53079 53079->53040 53080 401fd8 53079->53080 53081 4023ce 11 API calls 53080->53081 53082 401fe1 53081->53082 53082->53040 53084 402163 53083->53084 53088 40219f 53084->53088 53191 402730 11 API calls 53084->53191 53086 402184 53192 402712 11 API calls std::_Deallocate 53086->53192 53088->53044 53090 4020e7 53089->53090 53106 4023ce 53090->53106 53092 4020f2 53093 43bda0 53092->53093 53098 4461b8 ___crtLCMapStringA 53093->53098 53094 4461f6 53122 44062d 20 API calls _Atexit 53094->53122 53095 4461e1 RtlAllocateHeap 53097 41b42f InternetOpenW InternetOpenUrlW 53095->53097 53095->53098 53097->53053 53098->53094 53098->53095 53121 443001 7 API calls 2 library calls 53098->53121 53101 4020bf 53100->53101 53102 4023ce 11 API calls 53101->53102 53103 4020ca 53102->53103 53123 40250a 53103->53123 53105 4020d9 53105->53057 53107 402428 53106->53107 53108 4023d8 53106->53108 53107->53092 53108->53107 53110 4027a7 53108->53110 53111 402e21 53110->53111 53114 4016b4 53111->53114 53113 402e30 53113->53107 53115 4016cb 53114->53115 53116 4016c6 53114->53116 53115->53116 53117 4016f3 53115->53117 53120 43bd68 11 API calls _Atexit 53116->53120 53117->53113 53119 43bd67 53120->53119 53121->53098 53122->53097 53124 40251a 53123->53124 53125 402520 53124->53125 53126 402535 53124->53126 53130 402569 53125->53130 53140 4028e8 53126->53140 53129 402533 53129->53105 53151 402888 53130->53151 53132 40257d 53133 402592 53132->53133 53134 4025a7 53132->53134 53156 402a34 22 API calls 53133->53156 53136 4028e8 28 API calls 53134->53136 53139 4025a5 53136->53139 53137 40259b 53157 4029da 22 API calls 53137->53157 53139->53129 53141 4028f1 53140->53141 53142 402953 53141->53142 53143 4028fb 53141->53143 53165 4028a4 22 API calls 53142->53165 53146 402904 53143->53146 53148 402917 53143->53148 53159 402cae 53146->53159 53149 402915 53148->53149 53150 4023ce 11 API calls 53148->53150 53149->53129 53150->53149 53152 402890 53151->53152 53153 402898 53152->53153 53158 402ca3 22 API calls 53152->53158 53153->53132 53156->53137 53157->53139 53160 402cb8 __EH_prolog 53159->53160 53166 402e54 22 API calls 53160->53166 53162 402d24 53163 4023ce 11 API calls 53162->53163 53164 402d92 53163->53164 53164->53149 53166->53162 53168 405214 53167->53168 53169 4023ce 11 API calls 53168->53169 53170 40521f 53169->53170 53174 405234 53170->53174 53172 40522e 53172->53068 53173->53076 53175 405240 53174->53175 53176 40526e 53174->53176 53177 4028e8 28 API calls 53175->53177 53190 4028a4 22 API calls 53176->53190 53179 40524a 53177->53179 53179->53172 53191->53086 53192->53088 53193 426a77 53194 426a8c 53193->53194 53200 426b1e 53193->53200 53195 426bd5 53194->53195 53196 426ad9 53194->53196 53197 426b4e 53194->53197 53198 426bae 53194->53198 53194->53200 53202 426b83 53194->53202 53206 426b0e 53194->53206 53221 424f6e 49 API calls ctype 53194->53221 53195->53200 53226 4261e6 28 API calls 53195->53226 53196->53200 53196->53206 53222 41fbfd 52 API calls 53196->53222 53197->53200 53197->53202 53224 41fbfd 52 API calls 53197->53224 53198->53195 53198->53200 53209 425b72 53198->53209 53202->53198 53225 425781 21 API calls 53202->53225 53206->53197 53206->53200 53223 424f6e 49 API calls ctype 53206->53223 53210 425b91 ___scrt_get_show_window_mode 53209->53210 53212 425ba0 53210->53212 53216 425bc5 53210->53216 53227 41ec4c 21 API calls 53210->53227 53212->53216 53220 425ba5 53212->53220 53228 420669 46 API calls 53212->53228 53215 425bae 53215->53216 53235 424d96 21 API calls 2 library calls 53215->53235 53216->53195 53218 425c48 53218->53216 53229 432f55 53218->53229 53220->53215 53220->53216 53234 41daf0 49 API calls 53220->53234 53221->53196 53222->53196 53223->53197 53224->53197 53225->53198 53226->53200 53227->53212 53228->53218 53230 432f63 53229->53230 53231 432f5f 53229->53231 53232 43bda0 _Yarn 21 API calls 53230->53232 53231->53220 53233 432f68 53232->53233 53233->53220 53234->53215 53235->53216 53236 1000c7a7 53237 1000c7be 53236->53237 53242 1000c82c 53236->53242 53237->53242 53248 1000c7e6 GetModuleHandleA 53237->53248 53238 1000c872 53239 1000c835 GetModuleHandleA 53243 1000c83f 53239->53243 53241 1000c7dd 53241->53242 53241->53243 53245 1000c800 GetProcAddress 53241->53245 53242->53238 53242->53239 53242->53243 53243->53242 53244 1000c85f GetProcAddress 53243->53244 53244->53242 53245->53242 53246 1000c80d VirtualProtect 53245->53246 53246->53242 53247 1000c81c VirtualProtect 53246->53247 53247->53242 53249 1000c7ef 53248->53249 53256 1000c82c 53248->53256 53260 1000c803 GetProcAddress 53249->53260 53251 1000c872 53252 1000c835 GetModuleHandleA 53258 1000c83f 53252->53258 53253 1000c7f4 53254 1000c800 GetProcAddress 53253->53254 53253->53256 53255 1000c80d VirtualProtect 53254->53255 53254->53256 53255->53256 53257 1000c81c VirtualProtect 53255->53257 53256->53251 53256->53252 53256->53258 53257->53256 53258->53256 53259 1000c85f GetProcAddress 53258->53259 53259->53256 53261 1000c82c 53260->53261 53262 1000c80d VirtualProtect 53260->53262 53264 1000c872 53261->53264 53265 1000c835 GetModuleHandleA 53261->53265 53262->53261 53263 1000c81c VirtualProtect 53262->53263 53263->53261 53267 1000c83f 53265->53267 53266 1000c85f GetProcAddress 53266->53267 53267->53261 53267->53266 53268 4165db 53279 401e65 53268->53279 53270 4165eb 53271 4020f6 28 API calls 53270->53271 53272 4165f6 53271->53272 53273 401e65 22 API calls 53272->53273 53274 416601 53273->53274 53275 4020f6 28 API calls 53274->53275 53276 41660c 53275->53276 53284 412965 53276->53284 53280 401e6d 53279->53280 53281 401e75 53280->53281 53303 402158 22 API calls 53280->53303 53281->53270 53304 40482d 53284->53304 53286 412979 53311 4048c8 connect 53286->53311 53290 41299a 53376 402f10 53290->53376 53293 404aa1 61 API calls 53294 4129ae 53293->53294 53295 401fd8 11 API calls 53294->53295 53296 4129b6 53295->53296 53381 404c10 53296->53381 53299 401fd8 11 API calls 53300 4129cc 53299->53300 53301 401fd8 11 API calls 53300->53301 53302 4129d4 53301->53302 53305 404846 socket 53304->53305 53306 404839 53304->53306 53308 404860 CreateEventW 53305->53308 53309 404842 53305->53309 53399 40489e WSAStartup 53306->53399 53308->53286 53309->53286 53310 40483e 53310->53305 53310->53309 53312 404a1b 53311->53312 53313 4048ee 53311->53313 53314 40497e 53312->53314 53315 404a21 WSAGetLastError 53312->53315 53313->53314 53316 404923 53313->53316 53400 40531e 53313->53400 53371 402f31 53314->53371 53315->53314 53317 404a31 53315->53317 53435 420cf1 27 API calls 53316->53435 53320 404932 53317->53320 53321 404a36 53317->53321 53326 402093 28 API calls 53320->53326 53440 41cb72 30 API calls 53321->53440 53322 40492b 53322->53320 53325 404941 53322->53325 53323 40490f 53405 402093 53323->53405 53336 404950 53325->53336 53337 404987 53325->53337 53329 404a80 53326->53329 53328 404a40 53441 4052fd 28 API calls 53328->53441 53333 402093 28 API calls 53329->53333 53338 404a8f 53333->53338 53341 402093 28 API calls 53336->53341 53437 421ad1 54 API calls 53337->53437 53342 41b580 80 API calls 53338->53342 53345 40495f 53341->53345 53342->53314 53344 40498f 53347 4049c4 53344->53347 53348 404994 53344->53348 53349 402093 28 API calls 53345->53349 53439 420e97 28 API calls 53347->53439 53351 402093 28 API calls 53348->53351 53352 40496e 53349->53352 53354 4049a3 53351->53354 53355 41b580 80 API calls 53352->53355 53358 402093 28 API calls 53354->53358 53359 404973 53355->53359 53356 4049cc 53357 4049f9 CreateEventW CreateEventW 53356->53357 53360 402093 28 API calls 53356->53360 53357->53314 53361 4049b2 53358->53361 53436 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53359->53436 53362 4049e2 53360->53362 53363 41b580 80 API calls 53361->53363 53365 402093 28 API calls 53362->53365 53366 4049b7 53363->53366 53367 4049f1 53365->53367 53438 421143 52 API calls 53366->53438 53369 41b580 80 API calls 53367->53369 53370 4049f6 53369->53370 53370->53357 53372 4020df 11 API calls 53371->53372 53373 402f3d 53372->53373 53374 4032a0 28 API calls 53373->53374 53375 402f59 53374->53375 53375->53290 53492 401fb0 53376->53492 53378 402f1e 53379 402055 11 API calls 53378->53379 53380 402f2d 53379->53380 53380->53293 53382 4020df 11 API calls 53381->53382 53383 404c27 53382->53383 53384 4020df 11 API calls 53383->53384 53394 404c30 53384->53394 53385 43bda0 _Yarn 21 API calls 53385->53394 53387 4020b7 28 API calls 53387->53394 53389 404ca1 53523 404e26 WaitForSingleObject 53389->53523 53392 401fd8 11 API calls 53392->53394 53393 401fd8 11 API calls 53395 404cb1 53393->53395 53394->53385 53394->53387 53394->53389 53394->53392 53495 404b96 53394->53495 53501 401fe2 53394->53501 53510 404cc3 53394->53510 53396 401fd8 11 API calls 53395->53396 53397 404cba 53396->53397 53397->53299 53399->53310 53401 4020df 11 API calls 53400->53401 53402 40532a 53401->53402 53442 4032a0 53402->53442 53404 405346 53404->53323 53406 40209b 53405->53406 53407 4023ce 11 API calls 53406->53407 53408 4020a6 53407->53408 53446 4024ed 53408->53446 53411 41b580 53412 41b631 53411->53412 53413 41b596 GetLocalTime 53411->53413 53414 401fd8 11 API calls 53412->53414 53415 40531e 28 API calls 53413->53415 53416 41b639 53414->53416 53417 41b5d8 53415->53417 53419 401fd8 11 API calls 53416->53419 53450 406383 53417->53450 53421 41b641 53419->53421 53421->53316 53422 402f10 28 API calls 53423 41b5f0 53422->53423 53424 406383 28 API calls 53423->53424 53425 41b5fc 53424->53425 53455 40723b 77 API calls 53425->53455 53427 41b60a 53428 401fd8 11 API calls 53427->53428 53429 41b616 53428->53429 53430 401fd8 11 API calls 53429->53430 53431 41b61f 53430->53431 53432 401fd8 11 API calls 53431->53432 53433 41b628 53432->53433 53434 401fd8 11 API calls 53433->53434 53434->53412 53435->53322 53436->53314 53437->53344 53438->53359 53439->53356 53440->53328 53443 4032aa 53442->53443 53444 4028e8 28 API calls 53443->53444 53445 4032c9 53443->53445 53444->53445 53445->53404 53447 4024f9 53446->53447 53448 40250a 28 API calls 53447->53448 53449 4020b1 53448->53449 53449->53411 53456 4051ef 53450->53456 53452 406391 53460 402055 53452->53460 53455->53427 53457 4051fb 53456->53457 53466 405274 53457->53466 53459 405208 53459->53452 53461 402061 53460->53461 53462 4023ce 11 API calls 53461->53462 53463 40207b 53462->53463 53488 40267a 53463->53488 53467 405282 53466->53467 53468 405288 53467->53468 53469 40529e 53467->53469 53477 4025f0 53468->53477 53470 4052f5 53469->53470 53471 4052b6 53469->53471 53486 4028a4 22 API calls 53470->53486 53475 4028e8 28 API calls 53471->53475 53476 40529c 53471->53476 53475->53476 53476->53459 53478 402888 22 API calls 53477->53478 53479 402602 53478->53479 53480 402672 53479->53480 53481 402629 53479->53481 53487 4028a4 22 API calls 53480->53487 53484 4028e8 28 API calls 53481->53484 53485 40263b 53481->53485 53484->53485 53485->53476 53489 40268b 53488->53489 53490 4023ce 11 API calls 53489->53490 53491 40208d 53490->53491 53491->53422 53493 4025f0 28 API calls 53492->53493 53494 401fbd 53493->53494 53494->53378 53496 404ba0 WaitForSingleObject 53495->53496 53497 404bcd recv 53495->53497 53536 421107 54 API calls 53496->53536 53499 404be0 53497->53499 53499->53394 53500 404bbc SetEvent 53500->53499 53502 401ff1 53501->53502 53509 402039 53501->53509 53503 4023ce 11 API calls 53502->53503 53504 401ffa 53503->53504 53505 40203c 53504->53505 53506 402015 53504->53506 53507 40267a 11 API calls 53505->53507 53537 403098 28 API calls 53506->53537 53507->53509 53509->53394 53511 4020df 11 API calls 53510->53511 53512 404cde 53511->53512 53513 404e13 53512->53513 53516 4041a2 28 API calls 53512->53516 53517 401fe2 28 API calls 53512->53517 53518 401fd8 11 API calls 53512->53518 53519 4020f6 28 API calls 53512->53519 53538 4129da 53512->53538 53582 401fc0 53512->53582 53514 401fd8 11 API calls 53513->53514 53515 404e1c 53514->53515 53515->53394 53516->53512 53517->53512 53518->53512 53519->53512 53524 404e40 SetEvent CloseHandle 53523->53524 53525 404e57 closesocket 53523->53525 53526 404ca8 53524->53526 53527 404e64 53525->53527 53526->53393 53528 404e7a 53527->53528 54113 4050e4 84 API calls 53527->54113 53530 404e8c WaitForSingleObject 53528->53530 53531 404ece SetEvent CloseHandle 53528->53531 54114 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53530->54114 53531->53526 53533 404e9b SetEvent WaitForSingleObject 54115 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53533->54115 53535 404eb3 SetEvent CloseHandle CloseHandle 53535->53531 53536->53500 53537->53509 53539 4129ec 53538->53539 53586 4041a2 53539->53586 53542 4020f6 28 API calls 53543 412a0e 53542->53543 53544 4020f6 28 API calls 53543->53544 53545 412a1d 53544->53545 53589 41beac 53545->53589 53548 412ace 53549 401e8d 11 API calls 53548->53549 53551 412ad7 53549->53551 53550 401e65 22 API calls 53552 412a3d 53550->53552 53553 401fd8 11 API calls 53551->53553 53554 4020f6 28 API calls 53552->53554 53555 412ae0 53553->53555 53556 412a48 53554->53556 53557 401fd8 11 API calls 53555->53557 53558 401e65 22 API calls 53556->53558 53559 412ae8 53557->53559 53560 412a53 53558->53560 53559->53512 53561 4020f6 28 API calls 53560->53561 53562 412a5e 53561->53562 53563 401e65 22 API calls 53562->53563 53564 412a69 53563->53564 53565 4020f6 28 API calls 53564->53565 53566 412a74 53565->53566 53567 401e65 22 API calls 53566->53567 53568 412a7f 53567->53568 53569 4020f6 28 API calls 53568->53569 53570 412a8a 53569->53570 53571 401e65 22 API calls 53570->53571 53572 412a95 53571->53572 53573 4020f6 28 API calls 53572->53573 53574 412aa0 53573->53574 53575 401e65 22 API calls 53574->53575 53576 412aae 53575->53576 53577 4020f6 28 API calls 53576->53577 53578 412ab9 53577->53578 53611 412aef GetModuleFileNameW 53578->53611 53581 404e26 99 API calls 53581->53548 53583 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53582->53583 53584 401fc9 53582->53584 53583->53512 53972 415b25 53583->53972 53971 4025e0 28 API calls 53584->53971 53758 40423a 53586->53758 53590 4020df 11 API calls 53589->53590 53591 41bebf 53590->53591 53594 41bf31 53591->53594 53597 4041a2 28 API calls 53591->53597 53602 401fe2 28 API calls 53591->53602 53606 401fd8 11 API calls 53591->53606 53610 41bf2f 53591->53610 53764 41cec5 28 API calls 53591->53764 53592 401fd8 11 API calls 53593 41bf61 53592->53593 53595 401fd8 11 API calls 53593->53595 53596 4041a2 28 API calls 53594->53596 53598 41bf69 53595->53598 53599 41bf3d 53596->53599 53597->53591 53600 401fd8 11 API calls 53598->53600 53601 401fe2 28 API calls 53599->53601 53603 412a26 53600->53603 53604 41bf46 53601->53604 53602->53591 53603->53548 53603->53550 53605 401fd8 11 API calls 53604->53605 53607 41bf4e 53605->53607 53606->53591 53765 41cec5 28 API calls 53607->53765 53610->53592 53612 4020df 11 API calls 53611->53612 53613 412b1a 53612->53613 53614 4020df 11 API calls 53613->53614 53615 412b26 53614->53615 53616 4020df 11 API calls 53615->53616 53638 412b32 53616->53638 53617 40da23 32 API calls 53617->53638 53618 401fd8 11 API calls 53618->53638 53619 41ba09 43 API calls 53619->53638 53620 403014 28 API calls 53620->53638 53621 4185a3 31 API calls 53621->53638 53622 412c58 Sleep 53622->53638 53623 40417e 28 API calls 53623->53638 53624 4042fc 79 API calls 53624->53638 53625 401f09 11 API calls 53625->53638 53626 412cfa Sleep 53626->53638 53627 40431d 28 API calls 53627->53638 53628 412d9c Sleep 53628->53638 53629 41c516 32 API calls 53629->53638 53630 412dff DeleteFileW 53630->53638 53631 412e36 DeleteFileW 53631->53638 53632 412e88 Sleep 53632->53638 53633 412e72 DeleteFileW 53633->53638 53634 412f01 53635 401f09 11 API calls 53634->53635 53636 412f0d 53635->53636 53637 401f09 11 API calls 53636->53637 53639 412f19 53637->53639 53638->53617 53638->53618 53638->53619 53638->53620 53638->53621 53638->53622 53638->53623 53638->53624 53638->53625 53638->53626 53638->53627 53638->53628 53638->53629 53638->53630 53638->53631 53638->53632 53638->53633 53638->53634 53642 412ecd Sleep 53638->53642 53640 401f09 11 API calls 53639->53640 53641 412f25 53640->53641 53766 40b93f 53641->53766 53784 401f09 53642->53784 53645 412f38 53647 4020f6 28 API calls 53645->53647 53646 401f09 11 API calls 53649 412edd 53646->53649 53648 412f58 53647->53648 53772 413268 53648->53772 53649->53638 53649->53646 53651 412eff 53649->53651 53651->53641 53653 401f09 11 API calls 53654 412f6f 53653->53654 53655 4130e3 53654->53655 53656 412f8f 53654->53656 53657 41bdaf 28 API calls 53655->53657 53787 41bdaf 53656->53787 53659 4130ec 53657->53659 53661 402f31 28 API calls 53659->53661 53663 413123 53661->53663 53665 402f10 28 API calls 53663->53665 53667 413132 53665->53667 53666 402f31 28 API calls 53668 412fe5 53666->53668 53669 402f10 28 API calls 53667->53669 53670 402f10 28 API calls 53668->53670 53671 41313e 53669->53671 53672 412ff4 53670->53672 53673 402f10 28 API calls 53671->53673 53674 402f10 28 API calls 53672->53674 53675 41314d 53673->53675 53676 413003 53674->53676 53677 402f10 28 API calls 53675->53677 53678 402f10 28 API calls 53676->53678 53679 41315c 53677->53679 53680 413012 53678->53680 53682 402f10 28 API calls 53679->53682 53681 402f10 28 API calls 53680->53681 53684 413021 53681->53684 53683 41316b 53682->53683 53685 402f10 28 API calls 53683->53685 53686 402f10 28 API calls 53684->53686 53687 41317a 53685->53687 53688 41302d 53686->53688 53689 402ea1 28 API calls 53687->53689 53690 402f10 28 API calls 53688->53690 53691 413184 53689->53691 53692 413039 53690->53692 53693 404aa1 61 API calls 53691->53693 53796 402ea1 53692->53796 53695 413191 53693->53695 53697 401fd8 11 API calls 53695->53697 53699 41319d 53697->53699 53698 402f10 28 API calls 53700 413054 53698->53700 53701 401fd8 11 API calls 53699->53701 53702 402ea1 28 API calls 53700->53702 53703 4131a9 53701->53703 53704 41305e 53702->53704 53705 401fd8 11 API calls 53703->53705 53706 404aa1 61 API calls 53704->53706 53707 4131b5 53705->53707 53708 41306b 53706->53708 53709 401fd8 11 API calls 53707->53709 53710 401fd8 11 API calls 53708->53710 53711 4131c1 53709->53711 53712 413074 53710->53712 53714 401fd8 11 API calls 53711->53714 53713 401fd8 11 API calls 53712->53713 53716 41307d 53713->53716 53715 4131ca 53714->53715 53717 401fd8 11 API calls 53715->53717 53718 401fd8 11 API calls 53716->53718 53719 4131d3 53717->53719 53720 413086 53718->53720 53721 401fd8 11 API calls 53719->53721 53722 401fd8 11 API calls 53720->53722 53746 4130d7 53721->53746 53723 41308f 53722->53723 53724 401fd8 11 API calls 53723->53724 53726 41309b 53724->53726 53725 401fd8 11 API calls 53727 4131e5 53725->53727 53728 401fd8 11 API calls 53726->53728 53729 401f09 11 API calls 53727->53729 53730 4130a7 53728->53730 53731 4131f1 53729->53731 53732 401fd8 11 API calls 53730->53732 53733 401fd8 11 API calls 53731->53733 53734 4130b3 53732->53734 53735 4131fd 53733->53735 53736 401fd8 11 API calls 53734->53736 53737 401fd8 11 API calls 53735->53737 53738 4130bf 53736->53738 53739 413209 53737->53739 53740 401fd8 11 API calls 53738->53740 53741 401fd8 11 API calls 53739->53741 53742 4130cb 53740->53742 53744 413215 53741->53744 53743 401fd8 11 API calls 53742->53743 53743->53746 53745 401fd8 11 API calls 53744->53745 53747 413221 53745->53747 53746->53725 53748 401fd8 11 API calls 53747->53748 53749 41322d 53748->53749 53750 401fd8 11 API calls 53749->53750 53751 413239 53750->53751 53752 401fd8 11 API calls 53751->53752 53753 413245 53752->53753 53754 401fd8 11 API calls 53753->53754 53755 413251 53754->53755 53756 401fd8 11 API calls 53755->53756 53757 412abe 53756->53757 53757->53581 53759 404243 53758->53759 53760 4023ce 11 API calls 53759->53760 53761 40424e 53760->53761 53762 402569 28 API calls 53761->53762 53763 4041b5 53762->53763 53763->53542 53764->53591 53765->53610 53767 40b947 53766->53767 53805 402252 53767->53805 53769 40b952 53809 40b967 53769->53809 53771 40b961 53771->53645 53773 4132a6 53772->53773 53775 413277 53772->53775 53774 4132b5 53773->53774 53831 10001c5b 53773->53831 53839 40417e 53774->53839 53835 411d2d 53775->53835 53780 401fd8 11 API calls 53782 412f63 53780->53782 53782->53653 53785 402252 11 API calls 53784->53785 53786 401f12 53785->53786 53786->53649 53788 41bdbc 53787->53788 53789 4020b7 28 API calls 53788->53789 53790 412f9b 53789->53790 53791 41bc1f 53790->53791 53961 441ed1 53791->53961 53794 402093 28 API calls 53795 412fb5 53794->53795 53795->53666 53801 402eb0 53796->53801 53797 402ef2 53798 401fb0 28 API calls 53797->53798 53799 402ef0 53798->53799 53800 402055 11 API calls 53799->53800 53802 402f09 53800->53802 53801->53797 53803 402ee7 53801->53803 53802->53698 53970 403365 28 API calls 53803->53970 53806 40225c 53805->53806 53807 4022ac 53805->53807 53806->53807 53816 402779 11 API calls std::_Deallocate 53806->53816 53807->53769 53810 40b9a1 53809->53810 53811 40b973 53809->53811 53828 4028a4 22 API calls 53810->53828 53817 4027e6 53811->53817 53814 40b97d 53814->53771 53816->53807 53818 4027ef 53817->53818 53819 402851 53818->53819 53822 4027f9 53818->53822 53830 4028a4 22 API calls 53819->53830 53823 402802 53822->53823 53825 402815 53822->53825 53829 402aea 28 API calls __EH_prolog 53823->53829 53826 402813 53825->53826 53827 402252 11 API calls 53825->53827 53826->53814 53827->53826 53829->53826 53832 10001c6b ___scrt_fastfail 53831->53832 53845 100012ee 53832->53845 53834 10001c87 53834->53774 53887 411d39 53835->53887 53838 411fa2 22 API calls _Yarn 53838->53773 53840 404186 53839->53840 53841 402252 11 API calls 53840->53841 53842 404191 53841->53842 53940 4041bc 53842->53940 53846 10001324 ___scrt_fastfail 53845->53846 53847 100013b7 GetEnvironmentVariableW 53846->53847 53871 100010f1 53847->53871 53850 100010f1 57 API calls 53851 10001465 53850->53851 53852 100010f1 57 API calls 53851->53852 53853 10001479 53852->53853 53854 100010f1 57 API calls 53853->53854 53855 1000148d 53854->53855 53856 100010f1 57 API calls 53855->53856 53857 100014a1 53856->53857 53858 100010f1 57 API calls 53857->53858 53859 100014b5 lstrlenW 53858->53859 53860 100014d2 53859->53860 53861 100014d9 lstrlenW 53859->53861 53860->53834 53862 100010f1 57 API calls 53861->53862 53863 10001501 lstrlenW lstrcatW 53862->53863 53864 100010f1 57 API calls 53863->53864 53865 10001539 lstrlenW lstrcatW 53864->53865 53866 100010f1 57 API calls 53865->53866 53867 1000156b lstrlenW lstrcatW 53866->53867 53868 100010f1 57 API calls 53867->53868 53869 1000159d lstrlenW lstrcatW 53868->53869 53870 100010f1 57 API calls 53869->53870 53870->53860 53872 10001118 ___scrt_fastfail 53871->53872 53873 10001129 lstrlenW 53872->53873 53884 10002c40 53873->53884 53875 10001148 lstrcatW lstrlenW 53876 10001177 lstrlenW FindFirstFileW 53875->53876 53877 10001168 lstrlenW 53875->53877 53878 100011a0 53876->53878 53879 100011e1 53876->53879 53877->53876 53880 100011c7 FindNextFileW 53878->53880 53881 100011aa 53878->53881 53879->53850 53880->53878 53883 100011da FindClose 53880->53883 53881->53880 53886 10001000 57 API calls ___scrt_fastfail 53881->53886 53883->53879 53885 10002c57 53884->53885 53885->53875 53885->53885 53886->53881 53920 4117d7 53887->53920 53889 411d57 53890 411d6d SetLastError 53889->53890 53891 4117d7 SetLastError 53889->53891 53917 411d35 53889->53917 53890->53917 53892 411d8a 53891->53892 53892->53890 53894 411dac GetNativeSystemInfo 53892->53894 53892->53917 53895 411df2 53894->53895 53906 411dff SetLastError 53895->53906 53923 411cde VirtualAlloc 53895->53923 53898 411e22 53899 411e47 GetProcessHeap HeapAlloc 53898->53899 53933 411cde VirtualAlloc 53898->53933 53901 411e70 53899->53901 53902 411e5e 53899->53902 53905 4117d7 SetLastError 53901->53905 53934 411cf5 VirtualFree 53902->53934 53903 411e3a 53903->53899 53903->53906 53907 411eb9 53905->53907 53906->53917 53908 411f6b 53907->53908 53924 411cde VirtualAlloc 53907->53924 53935 4120b2 GetProcessHeap HeapFree 53908->53935 53911 411ed2 ctype 53925 4117ea SetLastError ctype ___scrt_get_show_window_mode 53911->53925 53913 411efe 53913->53908 53926 411b9a 26 API calls 53913->53926 53915 411f2b 53915->53908 53927 41198a 53915->53927 53917->53838 53918 411f36 53918->53908 53918->53917 53919 411f60 SetLastError 53918->53919 53919->53908 53921 4117e6 53920->53921 53922 4117db SetLastError 53920->53922 53921->53889 53922->53889 53923->53898 53924->53911 53925->53913 53926->53915 53931 4119b0 53927->53931 53928 411a99 53929 4118ed VirtualProtect 53928->53929 53930 411aab 53929->53930 53930->53918 53931->53928 53931->53930 53936 4118ed 53931->53936 53933->53903 53934->53906 53935->53917 53937 4118fe 53936->53937 53938 4118f6 53936->53938 53937->53938 53939 411971 VirtualProtect 53937->53939 53938->53931 53939->53938 53941 4041c8 53940->53941 53944 4041d9 53941->53944 53943 40419c 53943->53780 53945 4041e9 53944->53945 53946 404206 53945->53946 53947 4041ef 53945->53947 53948 4027e6 28 API calls 53946->53948 53951 404267 53947->53951 53950 404204 53948->53950 53950->53943 53952 402888 22 API calls 53951->53952 53953 40427b 53952->53953 53954 404290 53953->53954 53955 4042a5 53953->53955 53957 4042df 22 API calls 53954->53957 53956 4027e6 28 API calls 53955->53956 53960 4042a3 53956->53960 53958 404299 53957->53958 53959 402c48 22 API calls 53958->53959 53959->53960 53960->53950 53962 441edd 53961->53962 53965 441ccd 53962->53965 53964 41bc43 53964->53794 53966 441ce4 53965->53966 53968 441d1b _Atexit 53966->53968 53969 44062d 20 API calls _Atexit 53966->53969 53968->53964 53969->53968 53970->53799 53971->53583 53973 4020f6 28 API calls 53972->53973 53974 415b47 SetEvent 53973->53974 53975 415b5c 53974->53975 53976 4041a2 28 API calls 53975->53976 53977 415b76 53976->53977 53978 4020f6 28 API calls 53977->53978 53979 415b86 53978->53979 53980 4020f6 28 API calls 53979->53980 53981 415b98 53980->53981 53982 41beac 28 API calls 53981->53982 53983 415ba1 53982->53983 53984 415bc1 GetTickCount 53983->53984 53985 415d20 53983->53985 54048 415d11 53983->54048 53987 41bc1f 28 API calls 53984->53987 53985->54048 54049 415d34 53985->54049 53986 401e8d 11 API calls 53988 4170cd 53986->53988 53989 415bd2 53987->53989 53991 401fd8 11 API calls 53988->53991 54051 41bb77 GetLastInputInfo GetTickCount 53989->54051 53993 4170d9 53991->53993 53995 401fd8 11 API calls 53993->53995 53994 415bde 53996 41bc1f 28 API calls 53994->53996 53997 4170e5 53995->53997 53998 415be9 53996->53998 54052 41bb27 53998->54052 54001 41bdaf 28 API calls 54002 415c05 54001->54002 54003 401e65 22 API calls 54002->54003 54004 415c13 54003->54004 54005 402f31 28 API calls 54004->54005 54006 415c21 54005->54006 54007 402ea1 28 API calls 54006->54007 54008 415c30 54007->54008 54009 402f10 28 API calls 54008->54009 54010 415c3f 54009->54010 54011 402ea1 28 API calls 54010->54011 54012 415c4e 54011->54012 54013 402f10 28 API calls 54012->54013 54014 415c5a 54013->54014 54015 402ea1 28 API calls 54014->54015 54016 415c64 54015->54016 54017 404aa1 61 API calls 54016->54017 54018 415c73 54017->54018 54019 401fd8 11 API calls 54018->54019 54020 415c7c 54019->54020 54021 401fd8 11 API calls 54020->54021 54022 415c88 54021->54022 54023 401fd8 11 API calls 54022->54023 54024 415c94 54023->54024 54025 401fd8 11 API calls 54024->54025 54026 415ca0 54025->54026 54027 401fd8 11 API calls 54026->54027 54028 415cac 54027->54028 54029 401fd8 11 API calls 54028->54029 54030 415cb8 54029->54030 54031 401f09 11 API calls 54030->54031 54032 415cc1 54031->54032 54033 401fd8 11 API calls 54032->54033 54034 415cca 54033->54034 54035 401fd8 11 API calls 54034->54035 54036 415cd3 54035->54036 54037 401e65 22 API calls 54036->54037 54038 415cde 54037->54038 54057 43bb2c 54038->54057 54041 415cf0 54044 415d09 54041->54044 54045 415cfe 54041->54045 54042 415d16 54043 401e65 22 API calls 54042->54043 54043->53985 54062 404f51 54044->54062 54061 404ff4 82 API calls 54045->54061 54048->53986 54077 4050e4 84 API calls 54049->54077 54050 415d04 54050->54048 54051->53994 54078 436f10 54052->54078 54055 40417e 28 API calls 54056 415bf7 54055->54056 54056->54001 54058 43bb45 _strftime 54057->54058 54080 43ae83 54058->54080 54060 415ceb 54060->54041 54060->54042 54061->54050 54063 404f65 54062->54063 54064 404fea 54062->54064 54065 404f6e 54063->54065 54066 404fc0 CreateEventA CreateThread 54063->54066 54067 404f7d GetLocalTime 54063->54067 54064->54048 54065->54066 54066->54064 54109 405150 54066->54109 54068 41bc1f 28 API calls 54067->54068 54069 404f91 54068->54069 54108 4052fd 28 API calls 54069->54108 54077->54050 54079 41bb46 GetForegroundWindow GetWindowTextW 54078->54079 54079->54055 54096 43ba8a 54080->54096 54082 43aed0 54102 43a837 36 API calls 3 library calls 54082->54102 54083 43ae95 54083->54082 54084 43aeaa 54083->54084 54095 43aeaf _Atexit 54083->54095 54101 44062d 20 API calls _Atexit 54084->54101 54088 43aedc 54089 43af0b 54088->54089 54103 43bacf 40 API calls __Tolower 54088->54103 54092 43af77 54089->54092 54104 43ba36 20 API calls 2 library calls 54089->54104 54105 43ba36 20 API calls 2 library calls 54092->54105 54093 43b03e _strftime 54093->54095 54106 44062d 20 API calls _Atexit 54093->54106 54095->54060 54097 43baa2 54096->54097 54098 43ba8f 54096->54098 54097->54083 54107 44062d 20 API calls _Atexit 54098->54107 54100 43ba94 _Atexit 54100->54083 54101->54095 54102->54088 54103->54088 54104->54092 54105->54093 54106->54095 54107->54100 54112 40515c 102 API calls 54109->54112 54111 405159 54112->54111 54113->53528 54114->53533 54115->53535 54116 43bea8 54117 43beb4 _swprintf ___DestructExceptionObject 54116->54117 54118 43bec2 54117->54118 54120 43beec 54117->54120 54132 44062d 20 API calls _Atexit 54118->54132 54127 445909 EnterCriticalSection 54120->54127 54122 43bec7 ___DestructExceptionObject _Atexit 54123 43bef7 54128 43bf98 54123->54128 54127->54123 54130 43bfa6 54128->54130 54129 43bf02 54133 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 54129->54133 54130->54129 54134 4497ec 37 API calls 2 library calls 54130->54134 54132->54122 54133->54122 54134->54130 54135 434918 54136 434924 ___DestructExceptionObject 54135->54136 54162 434627 54136->54162 54138 43492b 54140 434954 54138->54140 54460 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 54138->54460 54148 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54140->54148 54461 4442d2 5 API calls _ValidateLocalCookies 54140->54461 54142 43496d 54144 434973 ___DestructExceptionObject 54142->54144 54462 444276 5 API calls _ValidateLocalCookies 54142->54462 54145 4349f3 54173 434ba5 54145->54173 54148->54145 54463 443487 36 API calls 5 library calls 54148->54463 54155 434a15 54156 434a1f 54155->54156 54465 4434bf 28 API calls _Atexit 54155->54465 54158 434a28 54156->54158 54466 443462 28 API calls _Atexit 54156->54466 54467 43479e 13 API calls 2 library calls 54158->54467 54161 434a30 54161->54144 54163 434630 54162->54163 54468 434cb6 IsProcessorFeaturePresent 54163->54468 54165 43463c 54469 438fb1 10 API calls 4 library calls 54165->54469 54167 434641 54172 434645 54167->54172 54470 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54167->54470 54169 43464e 54170 43465c 54169->54170 54471 438fda 8 API calls 3 library calls 54169->54471 54170->54138 54172->54138 54174 436f10 ___scrt_get_show_window_mode 54173->54174 54175 434bb8 GetStartupInfoW 54174->54175 54176 4349f9 54175->54176 54177 444223 54176->54177 54472 44f0d9 54177->54472 54179 434a02 54182 40ea00 54179->54182 54180 44422c 54180->54179 54476 446895 36 API calls 54180->54476 54478 41cbe1 LoadLibraryA GetProcAddress 54182->54478 54184 40ea1c GetModuleFileNameW 54483 40f3fe 54184->54483 54186 40ea38 54187 4020f6 28 API calls 54186->54187 54188 40ea47 54187->54188 54189 4020f6 28 API calls 54188->54189 54190 40ea56 54189->54190 54191 41beac 28 API calls 54190->54191 54192 40ea5f 54191->54192 54498 40fb52 54192->54498 54194 40ea68 54195 401e8d 11 API calls 54194->54195 54196 40ea71 54195->54196 54197 40ea84 54196->54197 54198 40eace 54196->54198 54692 40fbee 118 API calls 54197->54692 54199 401e65 22 API calls 54198->54199 54201 40eade 54199->54201 54205 401e65 22 API calls 54201->54205 54202 40ea96 54203 401e65 22 API calls 54202->54203 54204 40eaa2 54203->54204 54693 410f72 36 API calls __EH_prolog 54204->54693 54206 40eafd 54205->54206 54207 40531e 28 API calls 54206->54207 54209 40eb0c 54207->54209 54212 406383 28 API calls 54209->54212 54210 40eab4 54694 40fb9f 78 API calls 54210->54694 54214 40eb18 54212->54214 54213 40eabd 54695 40f3eb 71 API calls 54213->54695 54216 401fe2 28 API calls 54214->54216 54217 40eb24 54216->54217 54218 401fd8 11 API calls 54217->54218 54219 40eb2d 54218->54219 54221 401fd8 11 API calls 54219->54221 54220 401fd8 11 API calls 54222 40ef36 54220->54222 54223 40eb36 54221->54223 54464 443396 GetModuleHandleW 54222->54464 54224 401e65 22 API calls 54223->54224 54225 40eb3f 54224->54225 54226 401fc0 28 API calls 54225->54226 54227 40eb4a 54226->54227 54228 401e65 22 API calls 54227->54228 54229 40eb63 54228->54229 54230 401e65 22 API calls 54229->54230 54231 40eb7e 54230->54231 54232 40ebe9 54231->54232 54696 406c59 54231->54696 54234 401e65 22 API calls 54232->54234 54238 40ebf6 54234->54238 54235 40ebab 54236 401fe2 28 API calls 54235->54236 54237 40ebb7 54236->54237 54240 401fd8 11 API calls 54237->54240 54239 40ec3d 54238->54239 54245 413584 3 API calls 54238->54245 54502 40d0a4 54239->54502 54241 40ebc0 54240->54241 54701 413584 RegOpenKeyExA 54241->54701 54243 40ec43 54244 40eac6 54243->54244 54505 41b354 54243->54505 54244->54220 54251 40ec21 54245->54251 54249 40ec5e 54252 40ecb1 54249->54252 54522 407751 54249->54522 54250 40f38a 54794 4139e4 30 API calls 54250->54794 54251->54239 54704 4139e4 30 API calls 54251->54704 54255 401e65 22 API calls 54252->54255 54258 40ecba 54255->54258 54257 40f3a0 54795 4124b0 65 API calls ___scrt_get_show_window_mode 54257->54795 54266 40ecc6 54258->54266 54267 40eccb 54258->54267 54261 40ec87 54263 401e65 22 API calls 54261->54263 54262 40ec7d 54705 407773 30 API calls 54262->54705 54276 40ec90 54263->54276 54264 40f3aa 54269 41bcef 28 API calls 54264->54269 54708 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 54266->54708 54272 401e65 22 API calls 54267->54272 54268 40ec82 54706 40729b 98 API calls 54268->54706 54273 40f3ba 54269->54273 54274 40ecd4 54272->54274 54594 413a5e RegOpenKeyExW 54273->54594 54526 41bcef 54274->54526 54276->54252 54280 40ecac 54276->54280 54277 40ecdf 54530 401f13 54277->54530 54707 40729b 98 API calls 54280->54707 54284 401f09 11 API calls 54286 40f3d7 54284->54286 54285 401f09 11 API calls 54287 40ecf3 54285->54287 54288 401f09 11 API calls 54286->54288 54289 401e65 22 API calls 54287->54289 54290 40f3e0 54288->54290 54291 40ecfc 54289->54291 54597 40dd7d 54290->54597 54296 401e65 22 API calls 54291->54296 54295 40f3ea 54297 40ed16 54296->54297 54298 401e65 22 API calls 54297->54298 54299 40ed30 54298->54299 54300 401e65 22 API calls 54299->54300 54301 40ed49 54300->54301 54302 40edb6 54301->54302 54304 401e65 22 API calls 54301->54304 54303 40edc5 54302->54303 54310 40ef41 ___scrt_get_show_window_mode 54302->54310 54305 40edce 54303->54305 54333 40ee4a ___scrt_get_show_window_mode 54303->54333 54308 40ed5e _wcslen 54304->54308 54306 401e65 22 API calls 54305->54306 54307 40edd7 54306->54307 54309 401e65 22 API calls 54307->54309 54308->54302 54311 401e65 22 API calls 54308->54311 54312 40ede9 54309->54312 54769 413733 RegOpenKeyExA 54310->54769 54313 40ed79 54311->54313 54315 401e65 22 API calls 54312->54315 54316 401e65 22 API calls 54313->54316 54317 40edfb 54315->54317 54318 40ed8e 54316->54318 54320 401e65 22 API calls 54317->54320 54709 40da6f 54318->54709 54319 40ef8c 54321 401e65 22 API calls 54319->54321 54322 40ee24 54320->54322 54323 40efb1 54321->54323 54327 401e65 22 API calls 54322->54327 54328 402093 28 API calls 54323->54328 54326 401f13 28 API calls 54329 40edad 54326->54329 54330 40ee35 54327->54330 54331 40efc3 54328->54331 54332 401f09 11 API calls 54329->54332 54767 40ce34 46 API calls _wcslen 54330->54767 54549 4137aa RegCreateKeyA 54331->54549 54332->54302 54539 413982 54333->54539 54337 40eede ctype 54342 401e65 22 API calls 54337->54342 54338 40ee45 54338->54333 54340 401e65 22 API calls 54341 40efe5 54340->54341 54344 43bb2c _strftime 40 API calls 54341->54344 54343 40eef5 54342->54343 54343->54319 54347 40ef09 54343->54347 54345 40eff2 54344->54345 54346 40effc 54345->54346 54348 40f01f 54345->54348 54772 41ce2c 88 API calls ___scrt_get_show_window_mode 54346->54772 54349 401e65 22 API calls 54347->54349 54353 402093 28 API calls 54348->54353 54351 40ef12 54349->54351 54354 41bcef 28 API calls 54351->54354 54352 40f003 CreateThread 54352->54348 55104 41d4ee 10 API calls 54352->55104 54355 40f034 54353->54355 54356 40ef1e 54354->54356 54357 402093 28 API calls 54355->54357 54768 40f4af 114 API calls 54356->54768 54360 40f043 54357->54360 54359 40ef23 54359->54319 54362 40ef2a 54359->54362 54361 41b580 80 API calls 54360->54361 54363 40f048 54361->54363 54362->54244 54364 401e65 22 API calls 54363->54364 54365 40f054 54364->54365 54366 401e65 22 API calls 54365->54366 54367 40f066 54366->54367 54368 401e65 22 API calls 54367->54368 54369 40f086 54368->54369 54370 43bb2c _strftime 40 API calls 54369->54370 54371 40f093 54370->54371 54372 401e65 22 API calls 54371->54372 54373 40f09e 54372->54373 54374 401e65 22 API calls 54373->54374 54375 40f0af 54374->54375 54376 401e65 22 API calls 54375->54376 54377 40f0c4 54376->54377 54378 401e65 22 API calls 54377->54378 54379 40f0d5 54378->54379 54380 40f0dc StrToIntA 54379->54380 54555 409e1f 54380->54555 54383 401e65 22 API calls 54384 40f0f7 54383->54384 54385 40f103 54384->54385 54387 40f13c 54384->54387 54773 43455e 54385->54773 54389 401e65 22 API calls 54387->54389 54390 40f14c 54389->54390 54393 40f194 54390->54393 54394 40f158 54390->54394 54391 401e65 22 API calls 54392 40f11f 54391->54392 54395 40f126 CreateThread 54392->54395 54397 401e65 22 API calls 54393->54397 54396 43455e new 22 API calls 54394->54396 54395->54387 55108 41a045 110 API calls 2 library calls 54395->55108 54398 40f161 54396->54398 54399 40f19d 54397->54399 54400 401e65 22 API calls 54398->54400 54402 40f207 54399->54402 54403 40f1a9 54399->54403 54401 40f173 54400->54401 54405 40f17a CreateThread 54401->54405 54406 401e65 22 API calls 54402->54406 54404 401e65 22 API calls 54403->54404 54408 40f1b9 54404->54408 54405->54393 55107 41a045 110 API calls 2 library calls 54405->55107 54407 40f210 54406->54407 54409 40f255 54407->54409 54410 40f21c 54407->54410 54411 401e65 22 API calls 54408->54411 54580 41b69e GetComputerNameExW GetUserNameW 54409->54580 54413 401e65 22 API calls 54410->54413 54414 40f1ce 54411->54414 54416 40f225 54413->54416 54780 40da23 54414->54780 54421 401e65 22 API calls 54416->54421 54417 401f13 28 API calls 54418 40f269 54417->54418 54420 401f09 11 API calls 54418->54420 54423 40f272 54420->54423 54424 40f23a 54421->54424 54426 40f27b SetProcessDEPPolicy 54423->54426 54427 40f27e CreateThread 54423->54427 54434 43bb2c _strftime 40 API calls 54424->54434 54425 401f13 28 API calls 54428 40f1ed 54425->54428 54426->54427 54429 40f293 CreateThread 54427->54429 54430 40f29f 54427->54430 55077 40f7e2 54427->55077 54431 401f09 11 API calls 54428->54431 54429->54430 55109 412132 146 API calls 54429->55109 54432 40f2b4 54430->54432 54433 40f2a8 CreateThread 54430->54433 54435 40f1f6 CreateThread 54431->54435 54437 40f307 54432->54437 54439 402093 28 API calls 54432->54439 54433->54432 55105 412716 38 API calls ___scrt_get_show_window_mode 54433->55105 54436 40f247 54434->54436 54435->54402 55106 401a6d 50 API calls _strftime 54435->55106 54791 40c19d 7 API calls 54436->54791 54591 41353a RegOpenKeyExA 54437->54591 54440 40f2d7 54439->54440 54792 4052fd 28 API calls 54440->54792 54446 40f328 54448 41bcef 28 API calls 54446->54448 54449 40f338 54448->54449 54793 413656 31 API calls 54449->54793 54454 40f34e 54455 401f09 11 API calls 54454->54455 54458 40f359 54455->54458 54456 40f381 DeleteFileW 54457 40f388 54456->54457 54456->54458 54457->54264 54458->54264 54458->54456 54459 40f36f Sleep 54458->54459 54459->54458 54460->54138 54461->54142 54462->54148 54463->54145 54464->54155 54465->54156 54466->54158 54467->54161 54468->54165 54469->54167 54470->54169 54471->54172 54473 44f0eb 54472->54473 54474 44f0e2 54472->54474 54473->54180 54477 44efd8 49 API calls 4 library calls 54474->54477 54476->54180 54477->54473 54479 41cc20 LoadLibraryA GetProcAddress 54478->54479 54480 41cc10 GetModuleHandleA GetProcAddress 54478->54480 54481 41cc49 44 API calls 54479->54481 54482 41cc39 LoadLibraryA GetProcAddress 54479->54482 54480->54479 54481->54184 54482->54481 54796 41b539 FindResourceA 54483->54796 54486 43bda0 _Yarn 21 API calls 54487 40f428 ctype 54486->54487 54488 4020b7 28 API calls 54487->54488 54489 40f443 54488->54489 54490 401fe2 28 API calls 54489->54490 54491 40f44e 54490->54491 54492 401fd8 11 API calls 54491->54492 54493 40f457 54492->54493 54494 43bda0 _Yarn 21 API calls 54493->54494 54495 40f468 ctype 54494->54495 54799 406e13 54495->54799 54497 40f49b 54497->54186 54499 40fb5e 54498->54499 54501 40fb65 54498->54501 54802 402163 11 API calls 54499->54802 54501->54194 54803 401fab 54502->54803 54504 40d0ae CreateMutexA GetLastError 54504->54243 54804 41c048 54505->54804 54510 401fe2 28 API calls 54511 41b390 54510->54511 54512 401fd8 11 API calls 54511->54512 54513 41b398 54512->54513 54514 4135e1 31 API calls 54513->54514 54516 41b3ee 54513->54516 54515 41b3c1 54514->54515 54517 41b3cc StrToIntA 54515->54517 54516->54249 54518 41b3e3 54517->54518 54519 41b3da 54517->54519 54521 401fd8 11 API calls 54518->54521 54813 41cffa 22 API calls 54519->54813 54521->54516 54523 407765 54522->54523 54524 413584 3 API calls 54523->54524 54525 40776c 54524->54525 54525->54261 54525->54262 54527 41bd03 54526->54527 54528 40b93f 28 API calls 54527->54528 54529 41bd0b 54528->54529 54529->54277 54531 401f22 54530->54531 54532 401f6a 54530->54532 54533 402252 11 API calls 54531->54533 54532->54285 54534 401f2b 54533->54534 54535 401f6d 54534->54535 54536 401f46 54534->54536 54815 402336 54535->54815 54814 40305c 28 API calls 54536->54814 54540 4139a0 54539->54540 54541 406e13 28 API calls 54540->54541 54542 4139b5 54541->54542 54543 4020f6 28 API calls 54542->54543 54544 4139c5 54543->54544 54545 4137aa 14 API calls 54544->54545 54546 4139cf 54545->54546 54547 401fd8 11 API calls 54546->54547 54548 4139dc 54547->54548 54548->54337 54550 4137fa 54549->54550 54551 4137c3 54549->54551 54552 401fd8 11 API calls 54550->54552 54554 4137d5 RegSetValueExA RegCloseKey 54551->54554 54553 40efd9 54552->54553 54553->54340 54554->54550 54556 409e3d _wcslen 54555->54556 54557 409e48 54556->54557 54558 409e5f 54556->54558 54559 40da6f 32 API calls 54557->54559 54560 40da6f 32 API calls 54558->54560 54561 409e50 54559->54561 54562 409e67 54560->54562 54564 401f13 28 API calls 54561->54564 54563 401f13 28 API calls 54562->54563 54565 409e75 54563->54565 54567 409e5a 54564->54567 54566 401f09 11 API calls 54565->54566 54568 409e7d 54566->54568 54569 401f09 11 API calls 54567->54569 54834 409196 28 API calls 54568->54834 54571 409eb4 54569->54571 54819 40a144 54571->54819 54572 409e8f 54835 403014 54572->54835 54577 401f13 28 API calls 54578 409ea4 54577->54578 54579 401f09 11 API calls 54578->54579 54579->54567 54581 40417e 28 API calls 54580->54581 54582 41b6ed 54581->54582 54884 4042fc 54582->54884 54585 403014 28 API calls 54586 41b703 54585->54586 54587 401f09 11 API calls 54586->54587 54588 41b70c 54587->54588 54589 401f09 11 API calls 54588->54589 54590 40f25e 54589->54590 54590->54417 54592 41355b RegQueryValueExA RegCloseKey 54591->54592 54593 40f31f 54591->54593 54592->54593 54593->54290 54593->54446 54595 40f3cd 54594->54595 54596 413a7a RegDeleteValueW 54594->54596 54595->54284 54596->54595 54598 40dd96 54597->54598 54599 41353a 3 API calls 54598->54599 54600 40dd9d 54599->54600 54604 40ddbc 54600->54604 54959 401707 54600->54959 54602 40ddaa 54962 4138b2 RegCreateKeyA 54602->54962 54605 414f65 54604->54605 54606 4020df 11 API calls 54605->54606 54607 414f79 54606->54607 54976 41b944 54607->54976 54610 4020df 11 API calls 54611 414f8f 54610->54611 54612 401e65 22 API calls 54611->54612 54613 414f9d 54612->54613 54614 43bb2c _strftime 40 API calls 54613->54614 54615 414faa 54614->54615 54616 414fbc 54615->54616 54617 414faf Sleep 54615->54617 54618 402093 28 API calls 54616->54618 54617->54616 54619 414fcb 54618->54619 54620 401e65 22 API calls 54619->54620 54621 414fd4 54620->54621 54622 4020f6 28 API calls 54621->54622 54623 414fdf 54622->54623 54624 41beac 28 API calls 54623->54624 54625 414fe7 54624->54625 54980 40489e WSAStartup 54625->54980 54627 414ff1 54628 401e65 22 API calls 54627->54628 54629 414ffa 54628->54629 54630 401e65 22 API calls 54629->54630 54656 415079 54629->54656 54631 415013 54630->54631 54632 401e65 22 API calls 54631->54632 54633 415024 54632->54633 54636 401e65 22 API calls 54633->54636 54634 41beac 28 API calls 54634->54656 54635 401e65 22 API calls 54635->54656 54637 415035 54636->54637 54638 401e65 22 API calls 54637->54638 54640 415046 54638->54640 54639 406c59 28 API calls 54639->54656 54642 401e65 22 API calls 54640->54642 54641 401fe2 28 API calls 54641->54656 54643 415057 54642->54643 54644 401e65 22 API calls 54643->54644 54645 415069 54644->54645 55005 40473d 89 API calls 54645->55005 54647 402093 28 API calls 54647->54656 54648 41b580 80 API calls 54648->54656 54650 4151c7 WSAGetLastError 55006 41cb72 30 API calls 54650->55006 54651 40482d 3 API calls 54651->54656 54654 404f51 105 API calls 54654->54656 54655 4048c8 97 API calls 54655->54656 54656->54634 54656->54635 54656->54639 54656->54641 54656->54647 54656->54648 54656->54650 54656->54651 54656->54654 54656->54655 54657 404e26 99 API calls 54656->54657 54658 40531e 28 API calls 54656->54658 54659 401e8d 11 API calls 54656->54659 54661 415a6e 54656->54661 54664 406383 28 API calls 54656->54664 54667 409097 28 API calls 54656->54667 54668 441ed1 20 API calls 54656->54668 54669 4020f6 28 API calls 54656->54669 54670 413733 3 API calls 54656->54670 54671 4135e1 31 API calls 54656->54671 54672 40417e 28 API calls 54656->54672 54675 401e65 22 API calls 54656->54675 54679 41bc1f 28 API calls 54656->54679 54680 41bb27 30 API calls 54656->54680 54681 41bdaf 28 API calls 54656->54681 54683 402f31 28 API calls 54656->54683 54684 402f10 28 API calls 54656->54684 54685 402ea1 28 API calls 54656->54685 54686 404aa1 61 API calls 54656->54686 54687 401fd8 11 API calls 54656->54687 54688 401f09 11 API calls 54656->54688 54689 404c10 265 API calls 54656->54689 54691 415aac CreateThread 54656->54691 54981 414f24 54656->54981 54986 41b871 54656->54986 54989 4145f8 54656->54989 54992 40ddc4 54656->54992 54998 41bcd3 54656->54998 55001 41bb77 GetLastInputInfo GetTickCount 54656->55001 55002 40f90c GetLocaleInfoA 54656->55002 55007 4052fd 28 API calls 54656->55007 54657->54656 54658->54656 54659->54656 54660 401e65 22 API calls 54660->54661 54661->54660 54662 43bb2c _strftime 40 API calls 54661->54662 55008 40b08c 85 API calls 54661->55008 54663 415b0a Sleep 54662->54663 54663->54656 54664->54656 54667->54656 54668->54656 54669->54656 54670->54656 54671->54656 54672->54656 54676 415474 GetTickCount 54675->54676 54677 41bc1f 28 API calls 54676->54677 54677->54656 54679->54656 54680->54656 54681->54656 54683->54656 54684->54656 54685->54656 54686->54656 54687->54656 54688->54656 54689->54656 54691->54656 55049 41ada8 106 API calls 54691->55049 54692->54202 54693->54210 54694->54213 54697 4020df 11 API calls 54696->54697 54698 406c65 54697->54698 54699 4032a0 28 API calls 54698->54699 54700 406c82 54699->54700 54700->54235 54702 40ebdf 54701->54702 54703 4135ae RegQueryValueExA RegCloseKey 54701->54703 54702->54232 54702->54250 54703->54702 54704->54239 54705->54268 54706->54261 54707->54252 54708->54267 55050 401f86 54709->55050 54712 40dae0 54716 41c048 2 API calls 54712->54716 54713 40daab 55069 41b645 29 API calls 54713->55069 54714 40dbd4 GetLongPathNameW 54718 40417e 28 API calls 54714->54718 54715 40daa1 54715->54714 54719 40dae5 54716->54719 54721 40dbe9 54718->54721 54722 40dae9 54719->54722 54723 40db3b 54719->54723 54720 40dab4 54724 401f13 28 API calls 54720->54724 54725 40417e 28 API calls 54721->54725 54727 40417e 28 API calls 54722->54727 54726 40417e 28 API calls 54723->54726 54728 40dabe 54724->54728 54729 40dbf8 54725->54729 54730 40db49 54726->54730 54731 40daf7 54727->54731 54732 401f09 11 API calls 54728->54732 55054 40de0c 54729->55054 54736 40417e 28 API calls 54730->54736 54737 40417e 28 API calls 54731->54737 54732->54715 54739 40db5f 54736->54739 54740 40db0d 54737->54740 54742 402fa5 28 API calls 54739->54742 54743 402fa5 28 API calls 54740->54743 54741 402fa5 28 API calls 54745 40dc20 54741->54745 54746 40db6a 54742->54746 54744 40db18 54743->54744 54748 401f13 28 API calls 54744->54748 54749 401f09 11 API calls 54745->54749 54747 401f13 28 API calls 54746->54747 54750 40db75 54747->54750 54751 40db23 54748->54751 54752 40dc2a 54749->54752 54754 401f09 11 API calls 54750->54754 54755 401f09 11 API calls 54751->54755 54753 401f09 11 API calls 54752->54753 54756 40dc33 54753->54756 54757 40db7e 54754->54757 54758 40db2c 54755->54758 54759 401f09 11 API calls 54756->54759 54760 401f09 11 API calls 54757->54760 54761 401f09 11 API calls 54758->54761 54762 40dc3c 54759->54762 54760->54728 54761->54728 54763 401f09 11 API calls 54762->54763 54764 40dc45 54763->54764 54765 401f09 11 API calls 54764->54765 54766 40dc4e 54765->54766 54766->54326 54767->54338 54768->54359 54770 413759 RegQueryValueExA RegCloseKey 54769->54770 54771 41377d 54769->54771 54770->54771 54771->54319 54772->54352 54775 434563 54773->54775 54774 43bda0 _Yarn 21 API calls 54774->54775 54775->54774 54776 40f10c 54775->54776 55074 443001 7 API calls 2 library calls 54775->55074 55075 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54775->55075 55076 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54775->55076 54776->54391 54781 402093 28 API calls 54780->54781 54782 40da3a 54781->54782 54783 41bcef 28 API calls 54782->54783 54784 40da45 54783->54784 54785 40da6f 32 API calls 54784->54785 54786 40da56 54785->54786 54787 401f09 11 API calls 54786->54787 54788 40da5f 54787->54788 54789 401fd8 11 API calls 54788->54789 54790 40da67 54789->54790 54790->54425 54791->54409 54793->54454 54794->54257 54797 41b556 LoadResource LockResource SizeofResource 54796->54797 54798 40f419 54796->54798 54797->54798 54798->54486 54800 4020b7 28 API calls 54799->54800 54801 406e27 54800->54801 54801->54497 54802->54501 54805 41b362 54804->54805 54806 41c055 GetCurrentProcess IsWow64Process 54804->54806 54808 4135e1 RegOpenKeyExA 54805->54808 54806->54805 54807 41c06c 54806->54807 54807->54805 54809 413639 54808->54809 54810 41360f RegQueryValueExA RegCloseKey 54808->54810 54811 402093 28 API calls 54809->54811 54810->54809 54812 41364e 54811->54812 54812->54510 54813->54518 54814->54532 54816 402347 54815->54816 54817 402252 11 API calls 54816->54817 54818 4023c7 54817->54818 54818->54532 54820 40a162 54819->54820 54821 413584 3 API calls 54820->54821 54822 40a169 54821->54822 54823 40a197 54822->54823 54824 40a17d 54822->54824 54827 409097 28 API calls 54823->54827 54825 40a182 54824->54825 54826 409ed6 54824->54826 54840 409097 54825->54840 54826->54383 54829 40a1a5 54827->54829 54847 40a1b4 86 API calls 54829->54847 54833 40a195 54833->54826 54834->54572 54852 403222 54835->54852 54837 403022 54856 403262 54837->54856 54841 4090ad 54840->54841 54842 402252 11 API calls 54841->54842 54843 4090c7 54842->54843 54844 404267 28 API calls 54843->54844 54845 4090d5 54844->54845 54846 40a268 29 API calls 54845->54846 54846->54833 54848 40a2ae 164 API calls 54846->54848 54847->54826 54849 40a2a2 86 API calls 54847->54849 54850 40a2c4 49 API calls 54847->54850 54851 40a2b8 129 API calls 54847->54851 54853 40322e 54852->54853 54862 403618 54853->54862 54855 40323b 54855->54837 54857 40326e 54856->54857 54858 402252 11 API calls 54857->54858 54859 403288 54858->54859 54860 402336 11 API calls 54859->54860 54861 403031 54860->54861 54861->54577 54863 403626 54862->54863 54864 403644 54863->54864 54865 40362c 54863->54865 54867 40365c 54864->54867 54868 40369e 54864->54868 54873 4036a6 54865->54873 54871 4027e6 28 API calls 54867->54871 54872 403642 54867->54872 54882 4028a4 22 API calls 54868->54882 54871->54872 54872->54855 54874 402888 22 API calls 54873->54874 54875 4036b9 54874->54875 54876 40372c 54875->54876 54877 4036de 54875->54877 54883 4028a4 22 API calls 54876->54883 54880 4027e6 28 API calls 54877->54880 54881 4036f0 54877->54881 54880->54881 54881->54872 54889 404353 54884->54889 54886 40430a 54887 403262 11 API calls 54886->54887 54888 404319 54887->54888 54888->54585 54890 40435f 54889->54890 54893 404371 54890->54893 54892 40436d 54892->54886 54894 40437f 54893->54894 54895 404385 54894->54895 54896 40439e 54894->54896 54957 4034e6 28 API calls 54895->54957 54897 402888 22 API calls 54896->54897 54898 4043a6 54897->54898 54900 404419 54898->54900 54901 4043bf 54898->54901 54958 4028a4 22 API calls 54900->54958 54903 4027e6 28 API calls 54901->54903 54912 40439c 54901->54912 54903->54912 54912->54892 54957->54912 54965 43ab1a 54959->54965 54963 4138f4 54962->54963 54964 4138ca RegSetValueExA RegCloseKey 54962->54964 54963->54604 54964->54963 54968 43aa9b 54965->54968 54967 40170d 54967->54602 54969 43aaaa 54968->54969 54970 43aabe 54968->54970 54974 44062d 20 API calls _Atexit 54969->54974 54972 43aaaf __alldvrm _Atexit 54970->54972 54975 4489d7 11 API calls 2 library calls 54970->54975 54972->54967 54974->54972 54975->54972 54979 41b98a ctype ___scrt_get_show_window_mode 54976->54979 54977 402093 28 API calls 54978 414f84 54977->54978 54978->54610 54979->54977 54980->54627 54982 414f33 54981->54982 54983 414f3d getaddrinfo WSASetLastError 54981->54983 55009 414dc1 29 API calls ___std_exception_copy 54982->55009 54983->54656 54985 414f38 54985->54983 55010 41b847 GlobalMemoryStatusEx 54986->55010 54988 41b886 54988->54656 55011 4145bb 54989->55011 54993 40dde0 54992->54993 54994 41353a 3 API calls 54993->54994 54995 40dde7 54994->54995 54996 413584 3 API calls 54995->54996 54997 40ddff 54995->54997 54996->54997 54997->54656 54999 4020b7 28 API calls 54998->54999 55000 41bce8 54999->55000 55000->54656 55001->54656 55003 402093 28 API calls 55002->55003 55004 40f931 55003->55004 55004->54656 55005->54656 55006->54656 55008->54656 55009->54985 55010->54988 55014 41458e 55011->55014 55015 4145a3 ___scrt_initialize_default_local_stdio_options 55014->55015 55018 43f7ed 55015->55018 55021 43c540 55018->55021 55022 43c580 55021->55022 55023 43c568 55021->55023 55022->55023 55024 43c588 55022->55024 55043 44062d 20 API calls _Atexit 55023->55043 55044 43a837 36 API calls 3 library calls 55024->55044 55027 43c598 55045 43ccc6 20 API calls 2 library calls 55027->55045 55028 43c56d _Atexit 55036 43502b 55028->55036 55031 4145b1 55031->54656 55032 43c610 55046 43d334 51 API calls 3 library calls 55032->55046 55035 43c61b 55047 43cd30 20 API calls _free 55035->55047 55037 435036 IsProcessorFeaturePresent 55036->55037 55038 435034 55036->55038 55040 435078 55037->55040 55038->55031 55048 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 55040->55048 55042 43515b 55042->55031 55043->55028 55044->55027 55045->55032 55046->55035 55047->55028 55048->55042 55051 401f8e 55050->55051 55052 402252 11 API calls 55051->55052 55053 401f99 55052->55053 55053->54712 55053->54713 55053->54715 55055 40de14 55054->55055 55056 402252 11 API calls 55055->55056 55057 40de1f 55056->55057 55058 4041d9 28 API calls 55057->55058 55059 40dc0b 55058->55059 55060 402fa5 55059->55060 55061 402fb4 55060->55061 55062 402ff6 55061->55062 55067 402feb 55061->55067 55071 40323f 55062->55071 55064 402ff4 55065 403262 11 API calls 55064->55065 55066 40300d 55065->55066 55066->54741 55070 403211 28 API calls 55067->55070 55069->54720 55070->55064 55072 4036a6 28 API calls 55071->55072 55073 40324c 55072->55073 55073->55064 55074->54775 55078 40f7fd 55077->55078 55079 413584 3 API calls 55078->55079 55080 40f8a1 55078->55080 55083 40f891 Sleep 55078->55083 55099 40f82f 55078->55099 55079->55078 55082 409097 28 API calls 55080->55082 55081 409097 28 API calls 55081->55099 55085 40f8ac 55082->55085 55083->55078 55084 41bcef 28 API calls 55084->55099 55087 41bcef 28 API calls 55085->55087 55088 40f8b8 55087->55088 55112 41384f 14 API calls 55088->55112 55091 401f09 11 API calls 55091->55099 55092 40f8cb 55093 401f09 11 API calls 55092->55093 55095 40f8d7 55093->55095 55094 402093 28 API calls 55094->55099 55096 402093 28 API calls 55095->55096 55097 40f8e8 55096->55097 55100 4137aa 14 API calls 55097->55100 55098 4137aa 14 API calls 55098->55099 55099->55081 55099->55083 55099->55084 55099->55091 55099->55094 55099->55098 55110 40d0d1 112 API calls ___scrt_get_show_window_mode 55099->55110 55111 41384f 14 API calls 55099->55111 55101 40f8fb 55100->55101 55113 41288b TerminateProcess WaitForSingleObject 55101->55113 55103 40f903 ExitProcess 55114 412829 62 API calls 55109->55114 55111->55099 55112->55092 55113->55103 55115 42f97e 55116 42f989 55115->55116 55117 42f99d 55116->55117 55119 432f7f 55116->55119 55120 432f8a 55119->55120 55121 432f8e 55119->55121 55120->55117 55123 440f5d 55121->55123 55124 446206 55123->55124 55125 446213 55124->55125 55126 44621e 55124->55126 55142 4461b8 21 API calls 3 library calls 55125->55142 55128 446226 55126->55128 55134 44622f ___crtLCMapStringA 55126->55134 55136 446802 55128->55136 55130 446234 55143 44062d 20 API calls _Atexit 55130->55143 55131 446259 RtlReAllocateHeap 55132 44621b 55131->55132 55131->55134 55132->55120 55134->55130 55134->55131 55144 443001 7 API calls 2 library calls 55134->55144 55137 44680d RtlFreeHeap 55136->55137 55141 446836 _free 55136->55141 55138 446822 55137->55138 55137->55141 55145 44062d 20 API calls _Atexit 55138->55145 55140 446828 GetLastError 55140->55141 55141->55132 55142->55132 55143->55132 55144->55134 55145->55140 55146 40165e 55147 401666 55146->55147 55148 401669 55146->55148 55149 4016a8 55148->55149 55151 401696 55148->55151 55150 43455e new 22 API calls 55149->55150 55152 40169c 55150->55152 55153 43455e new 22 API calls 55151->55153 55153->55152 55154 426cdc 55159 426d59 send 55154->55159 55160 41e04e 55161 41e063 ctype ___scrt_get_show_window_mode 55160->55161 55162 41e266 55161->55162 55163 432f55 21 API calls 55161->55163 55168 41e21a 55162->55168 55174 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 55162->55174 55167 41e213 ___scrt_get_show_window_mode 55163->55167 55165 41e277 55166 432f55 21 API calls 55165->55166 55165->55168 55170 41e2b0 ___scrt_get_show_window_mode 55166->55170 55167->55168 55169 432f55 21 API calls 55167->55169 55172 41e240 ___scrt_get_show_window_mode 55169->55172 55170->55168 55175 4335db 55170->55175 55172->55168 55173 432f55 21 API calls 55172->55173 55173->55162 55174->55165 55178 4334fa 55175->55178 55177 4335e3 55177->55168 55179 433513 55178->55179 55183 433509 55178->55183 55180 432f55 21 API calls 55179->55180 55179->55183 55181 433534 55180->55181 55181->55183 55184 4338c8 CryptAcquireContextA 55181->55184 55183->55177 55185 4338e9 CryptGenRandom 55184->55185 55187 4338e4 55184->55187 55186 4338fe CryptReleaseContext 55185->55186 55185->55187 55186->55187 55187->55183 55188 426c6d 55194 426d42 recv 55188->55194

                                                                    Executed Functions

                                                                    Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                    • API String ID: 4236061018-3687161714
                                                                    • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                    • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                                                    • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                    • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE
                                                                    Function 0040EA00 Relevance: 74.3, APIs: 15, Strings: 27, Instructions: 795COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 103 40ec67-40ec69 94->103 104 40ec6e-40ec72 94->104 98->80 124 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->124 103->104 108 40ecb1-40ecc4 call 401e65 call 401fab 104->108 109 40ec74 call 407751 104->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->108 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 124->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 202 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->202 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 233 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->233 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 192 40ee59-40ee7d call 40247c call 434829 182->192 183->192 210 40ee8c 192->210 211 40ee7f-40ee8a call 436f10 192->211 202->178 216 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 210->216 211->216 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 216->271 286 40f017-40f019 233->286 287 40effc 233->287 271->233 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->233 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 368 40f207-40f21a call 401e65 call 401fab 356->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 426 40f31f-40f322 416->426 418->416 426->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->124 445->124 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                    APIs
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000104), ref: 0040EA29
                                                                      • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                    • String ID: (TG$,aF$,aF$Access Level: $Administrator$C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$Exe$Exe$HSG$HSG$Inj$Remcos Agent initialized$Rmc-VG9RMM$Software\$User$`SG$del$del$exepath$licence$license_code.txt$tMG$RG$RG$RG$RG$RG
                                                                    • API String ID: 2830904901-1040101058
                                                                    • Opcode ID: 82bfc12c23da62e02e0b0e3a03bc47fb205325c82bfa48bd7b8ba886b68de15d
                                                                    • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                                                    • Opcode Fuzzy Hash: 82bfc12c23da62e02e0b0e3a03bc47fb205325c82bfa48bd7b8ba886b68de15d
                                                                    • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E
                                                                    Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 452 4181d1-4181d8 450->452 453 4184bd-4184c7 451->453 452->451 454 4181de-4181e0 452->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b Wow64SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 493 4183f7-4183fe 482->493 483->480 484->464 488 418450 484->488 485->464 489 41846d-418479 ResumeThread 485->489 488->485 489->464 492 41847b-41847d 489->492 492->453 493->478
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                    • NtClose.NTDLL(?), ref: 00418332
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                    • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                    • ResumeThread.KERNEL32(?), ref: 00418470
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                    • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                    • NtClose.NTDLL(?), ref: 004184A3
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                    • GetLastError.KERNEL32 ref: 004184B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                    • API String ID: 3150337530-3035715614
                                                                    • Opcode ID: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                    • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                                                    • Opcode Fuzzy Hash: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                    • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                                                    Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1460 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1467 10001177-1000119e lstrlenW FindFirstFileW 1460->1467 1468 10001168-10001172 lstrlenW 1460->1468 1469 100011a0-100011a8 1467->1469 1470 100011e1-100011e9 1467->1470 1468->1467 1471 100011c7-100011d8 FindNextFileW 1469->1471 1472 100011aa-100011c4 call 10001000 1469->1472 1471->1469 1474 100011da-100011db FindClose 1471->1474 1472->1471 1474->1470
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                    • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                    • String ID:
                                                                    • API String ID: 1083526818-0
                                                                    • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                    • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                    • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                    • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                    Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                      • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                                                      • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                    • ExitProcess.KERNEL32 ref: 0040F905
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                                    • String ID: 5.2.0 Pro$override$pth_unenc$RG
                                                                    • API String ID: 2281282204-1448307011
                                                                    • Opcode ID: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                                                    • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                                                    • Opcode Fuzzy Hash: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                                                    • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                                                    Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1523 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1528 41b456-41b477 InternetReadFile 1523->1528 1529 41b479-41b499 call 4020b7 call 403376 call 401fd8 1528->1529 1530 41b49d-41b4a0 1528->1530 1529->1530 1531 41b4a2-41b4a4 1530->1531 1532 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1530->1532 1531->1528 1531->1532 1536 41b4b8-41b4c2 1532->1536
                                                                    APIs
                                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                    Strings
                                                                    • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                                    • String ID: http://geoplugin.net/json.gp
                                                                    • API String ID: 3121278467-91888290
                                                                    • Opcode ID: 4e2645c3046718cbe2031a9352f432545f17450a0a2b1c602f3596dc6c63889a
                                                                    • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                    • Opcode Fuzzy Hash: 4e2645c3046718cbe2031a9352f432545f17450a0a2b1c602f3596dc6c63889a
                                                                    • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                    Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1568 411d39-411d59 call 4117d7 1571 411d62-411d6b 1568->1571 1572 411d5b-411d5d 1568->1572 1574 411d7a-411d8c call 4117d7 1571->1574 1575 411d6d-411d78 SetLastError 1571->1575 1573 411f75-411f7b 1572->1573 1574->1572 1578 411d8e-411d99 1574->1578 1575->1572 1578->1575 1579 411d9b-411da4 1578->1579 1579->1575 1580 411da6-411daa 1579->1580 1580->1575 1581 411dac-411db6 1580->1581 1582 411db8-411dbb 1581->1582 1583 411dda-411dfd GetNativeSystemInfo call 4117c6 * 2 1581->1583 1584 411dbd-411dc3 1582->1584 1592 411e0f-411e29 call 411cde 1583->1592 1593 411dff 1583->1593 1586 411dc5-411dc8 1584->1586 1587 411dca 1584->1587 1589 411dcd-411dd8 1586->1589 1587->1589 1589->1583 1589->1584 1598 411e47-411e5c GetProcessHeap HeapAlloc 1592->1598 1599 411e2b-411e41 call 411cde 1592->1599 1595 411e04-411e0a SetLastError 1593->1595 1597 411f72 1595->1597 1600 411f74 1597->1600 1602 411e70-411ebb call 4117d7 1598->1602 1603 411e5e-411e6e call 411cf5 1598->1603 1599->1598 1607 411e43-411e45 1599->1607 1600->1573 1610 411ec1-411f03 call 411cde call 436990 call 4117ea 1602->1610 1611 411f6b-411f6d call 4120b2 1602->1611 1603->1607 1607->1595 1610->1611 1619 411f05-411f0d 1610->1619 1611->1597 1620 411f0f-411f1c call 411aee 1619->1620 1621 411f1e-411f21 1619->1621 1623 411f24-411f2d call 411b9a 1620->1623 1621->1623 1623->1611 1627 411f2f-411f31 call 41198a 1623->1627 1629 411f36-411f38 1627->1629 1629->1611 1630 411f3a-411f43 call 411abd 1629->1630 1630->1611 1633 411f45-411f4c 1630->1633 1634 411f86 1633->1634 1635 411f4e-411f54 1633->1635 1636 411f8a-411f8c 1634->1636 1637 411f81-411f84 1635->1637 1638 411f56-411f5e 1635->1638 1636->1600 1637->1636 1640 411f60-411f65 SetLastError 1638->1640 1641 411f7c-411f7f 1638->1641 1640->1611 1641->1636
                                                                    APIs
                                                                      • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                    • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                      • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                      • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                      • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                    • String ID:
                                                                    • API String ID: 3950776272-0
                                                                    • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                    • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                    • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                    • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(00000001,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                    Strings
                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$EventLocalThreadTime
                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                    • API String ID: 2532271599-1507639952
                                                                    • Opcode ID: 062957303cfba47b26126e07690db1271cf596fef7b5f13bebc4271a0fb0f0d3
                                                                    • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                                                    • Opcode Fuzzy Hash: 062957303cfba47b26126e07690db1271cf596fef7b5f13bebc4271a0fb0f0d3
                                                                    • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                                                    Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,007441A8), ref: 004338DA
                                                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                    • String ID:
                                                                    • API String ID: 1815803762-0
                                                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                    • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                    • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                    Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750F4), ref: 0041B6BB
                                                                    • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$ComputerUser
                                                                    • String ID:
                                                                    • API String ID: 4229901323-0
                                                                    • Opcode ID: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                    • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                                                    • Opcode Fuzzy Hash: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                    • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                                                    Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,00475A10,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                    • Opcode Fuzzy Hash: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                    Function 00414F65 Relevance: 44.6, APIs: 5, Strings: 20, Instructions: 809sleepnetworkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 612 415220-415246 call 402093 * 2 call 41b580 606->612 613 41524b-415260 call 404f51 call 4048c8 606->613 629 415ade-415af0 call 404e26 call 4021fa 607->629 612->629 628 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 613->628 613->629 694 4153bb-4153c8 call 405aa6 628->694 695 4153cd-4153f4 call 401fab call 4135e1 628->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 629->643 644 415b18-415b20 call 401e8d 629->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->702 701->702 947 415a4a-415a51 702->947 948 415a53-415a5a 947->948 949 415a65-415a6c 947->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->629
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000,00000029,00475300,004750F4,00000000), ref: 00414FB6
                                                                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                    • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$ErrorLastLocalTime
                                                                    • String ID: | $%I64u$,aF$5.2.0 Pro$C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$HSG$Rmc-VG9RMM$TLS Off$TLS On $`SG$hlight$name$tMG$RG
                                                                    • API String ID: 524882891-4252927411
                                                                    • Opcode ID: b1004ef705661ac8b7785a360d0093f2405117e0aadfd6d023dde8988329571a
                                                                    • Instruction ID: d8c825886b0a0d8326cbfb5c9d4cc5050fd80dde9ad4bcb2ea62c87b00a1b781
                                                                    • Opcode Fuzzy Hash: b1004ef705661ac8b7785a360d0093f2405117e0aadfd6d023dde8988329571a
                                                                    • Instruction Fuzzy Hash: 03526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                    Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                      • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                      • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                      • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                      • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                    • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                    • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                    • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                    • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                    • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                    • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                    • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                    • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                    • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                    • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                    • API String ID: 672098462-2938083778
                                                                    • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                    • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                    • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                    • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                    Function 00412AEF Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 482sleepfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1009 412aef-412b38 GetModuleFileNameW call 4020df * 3 1016 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 1009->1016 1041 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1016->1041 1064 412c66 1041->1064 1065 412c58-412c60 Sleep 1041->1065 1066 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1064->1066 1065->1041 1065->1064 1089 412d08 1066->1089 1090 412cfa-412d02 Sleep 1066->1090 1091 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1089->1091 1090->1066 1090->1089 1114 412daa-412dcf 1091->1114 1115 412d9c-412da4 Sleep 1091->1115 1116 412dd3-412def call 401f04 call 41c516 1114->1116 1115->1091 1115->1114 1121 412df1-412e00 call 401f04 DeleteFileW 1116->1121 1122 412e06-412e22 call 401f04 call 41c516 1116->1122 1121->1122 1129 412e24-412e3d call 401f04 DeleteFileW 1122->1129 1130 412e3f 1122->1130 1132 412e43-412e5f call 401f04 call 41c516 1129->1132 1130->1132 1138 412e61-412e73 call 401f04 DeleteFileW 1132->1138 1139 412e79-412e7b 1132->1139 1138->1139 1141 412e88-412e93 Sleep 1139->1141 1142 412e7d-412e7f 1139->1142 1141->1116 1145 412e99-412eab call 406b63 1141->1145 1142->1141 1144 412e81-412e86 1142->1144 1144->1141 1144->1145 1148 412f01-412f20 call 401f09 * 3 1145->1148 1149 412ead-412ebb call 406b63 1145->1149 1160 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1148->1160 1149->1148 1155 412ebd-412ecb call 406b63 1149->1155 1155->1148 1161 412ecd-412ef9 Sleep call 401f09 * 3 1155->1161 1176 412f63-412f89 call 401f09 call 405b05 1160->1176 1161->1016 1175 412eff 1161->1175 1175->1160 1181 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1176->1181 1182 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1176->1182 1251 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1181->1251 1182->1251
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                    • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                    • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                    • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                    • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                    • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                    • String ID: /stext "$,aF$@TG$@TG
                                                                    • API String ID: 1223786279-971885606
                                                                    • Opcode ID: e3d391c43fd0e448d190aafaef7a175d74b737b2ac6a317b41d6f8a1c186be1a
                                                                    • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                                                    • Opcode Fuzzy Hash: e3d391c43fd0e448d190aafaef7a175d74b737b2ac6a317b41d6f8a1c186be1a
                                                                    • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                                                    Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1286 4048c8-4048e8 connect 1287 404a1b-404a1f 1286->1287 1288 4048ee-4048f1 1286->1288 1291 404a21-404a2f WSAGetLastError 1287->1291 1292 404a97 1287->1292 1289 404a17-404a19 1288->1289 1290 4048f7-4048fa 1288->1290 1293 404a99-404a9e 1289->1293 1294 404926-404930 call 420cf1 1290->1294 1295 4048fc-404923 call 40531e call 402093 call 41b580 1290->1295 1291->1292 1296 404a31-404a34 1291->1296 1292->1293 1305 404941-40494e call 420f20 1294->1305 1306 404932-40493c 1294->1306 1295->1294 1299 404a71-404a76 1296->1299 1300 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1296->1300 1302 404a7b-404a94 call 402093 * 2 call 41b580 1299->1302 1300->1292 1302->1292 1319 404950-404973 call 402093 * 2 call 41b580 1305->1319 1320 404987-404992 call 421ad1 1305->1320 1306->1302 1349 404976-404982 call 420d31 1319->1349 1332 4049c4-4049d1 call 420e97 1320->1332 1333 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1320->1333 1343 4049d3-4049f6 call 402093 * 2 call 41b580 1332->1343 1344 4049f9-404a14 CreateEventW * 2 1332->1344 1333->1349 1343->1344 1344->1289 1349->1292
                                                                    APIs
                                                                    • connect.WS2_32(FFFFFFFF,0076B358,00000010), ref: 004048E0
                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                    • API String ID: 994465650-2151626615
                                                                    • Opcode ID: c5d38f0f22f3010d6961fda9b348a04099d06d82ea66a40e2069e37e8a749612
                                                                    • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                                                    • Opcode Fuzzy Hash: c5d38f0f22f3010d6961fda9b348a04099d06d82ea66a40e2069e37e8a749612
                                                                    • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                    Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                    • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                    • String ID:
                                                                    • API String ID: 3658366068-0
                                                                    • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                    • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                    • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                    • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                    Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1378 40da6f-40da94 call 401f86 1381 40da9a 1378->1381 1382 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1378->1382 1384 40dae0-40dae7 call 41c048 1381->1384 1385 40daa1-40daa6 1381->1385 1386 40db93-40db98 1381->1386 1387 40dad6-40dadb 1381->1387 1388 40dba9 1381->1388 1389 40db9a-40db9f call 43c11f 1381->1389 1390 40daab-40dab9 call 41b645 call 401f13 1381->1390 1391 40dacc-40dad1 1381->1391 1392 40db8c-40db91 1381->1392 1404 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1384->1404 1405 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1384->1405 1394 40dbae-40dbb3 call 43c11f 1385->1394 1386->1394 1387->1394 1388->1394 1400 40dba4-40dba7 1389->1400 1413 40dabe 1390->1413 1391->1394 1392->1394 1406 40dbb4-40dbb9 call 409092 1394->1406 1400->1388 1400->1406 1414 40dac2-40dac7 call 401f09 1404->1414 1405->1413 1406->1382 1413->1414 1414->1382
                                                                    APIs
                                                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LongNamePath
                                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                    • API String ID: 82841172-425784914
                                                                    • Opcode ID: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                                                    • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                    • Opcode Fuzzy Hash: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                                                    • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                    Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1541 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1552 41b3ad-41b3bc call 4135e1 1541->1552 1553 41b3ee-41b3f7 1541->1553 1558 41b3c1-41b3d8 call 401fab StrToIntA 1552->1558 1555 41b400 1553->1555 1556 41b3f9-41b3fe 1553->1556 1557 41b405-41b410 call 40537d 1555->1557 1556->1557 1563 41b3e6-41b3e9 call 401fd8 1558->1563 1564 41b3da-41b3e3 call 41cffa 1558->1564 1563->1553 1564->1563
                                                                    APIs
                                                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                      • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                      • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                      • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                      • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                    • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                    • API String ID: 782494840-2070987746
                                                                    • Opcode ID: 3c4b5d7af4f146739f75e1625d68ed09f09484dc39002bc0f3c390a355a847db
                                                                    • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                                                    • Opcode Fuzzy Hash: 3c4b5d7af4f146739f75e1625d68ed09f09484dc39002bc0f3c390a355a847db
                                                                    • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE
                                                                    Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1642 1000c7e6-1000c7ed GetModuleHandleA 1643 1000c82d 1642->1643 1644 1000c7ef-1000c7fe call 1000c803 1642->1644 1645 1000c82f-1000c833 1643->1645 1653 1000c800-1000c80b GetProcAddress 1644->1653 1654 1000c865 1644->1654 1647 1000c872 call 1000c877 1645->1647 1648 1000c835-1000c83d GetModuleHandleA 1645->1648 1651 1000c83f-1000c847 1648->1651 1651->1651 1655 1000c849-1000c84c 1651->1655 1653->1643 1656 1000c80d-1000c81a VirtualProtect 1653->1656 1658 1000c866-1000c86e 1654->1658 1655->1645 1657 1000c84e-1000c850 1655->1657 1660 1000c82c 1656->1660 1661 1000c81c-1000c82a VirtualProtect 1656->1661 1662 1000c852-1000c854 1657->1662 1663 1000c856-1000c85e 1657->1663 1664 1000c870 1658->1664 1660->1643 1661->1660 1665 1000c85f-1000c860 GetProcAddress 1662->1665 1663->1665 1664->1655 1665->1654
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                      • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                      • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                      • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                    Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                      • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                      • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                      • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                      • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                    Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                    • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                    • String ID:
                                                                    • API String ID: 2152742572-0
                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                    Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountEventTick
                                                                    • String ID: !D@$,aF
                                                                    • API String ID: 180926312-3317875915
                                                                    • Opcode ID: 2953280aba7febb8b45d8bdefe1a2ce83ee7e7983946ec5cde0a20546917af89
                                                                    • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                                                    • Opcode Fuzzy Hash: 2953280aba7febb8b45d8bdefe1a2ce83ee7e7983946ec5cde0a20546917af89
                                                                    • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                                                    Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                    • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                    • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue
                                                                    • String ID: pth_unenc
                                                                    • API String ID: 1818849710-4028850238
                                                                    • Opcode ID: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                    • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                    • Opcode Fuzzy Hash: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                    • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                    Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                                                    • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3360349984-0
                                                                    • Opcode ID: 028fe8f6fecc2507a37e94400a5d89d3ce99a4c931556f406eb49177b4af90ff
                                                                    • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                    • Opcode Fuzzy Hash: 028fe8f6fecc2507a37e94400a5d89d3ce99a4c931556f406eb49177b4af90ff
                                                                    • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                    Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 3919263394-0
                                                                    • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                                                    • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                    • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                                                    • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                    Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                    • GetLastError.KERNEL32 ref: 0040D0BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorLastMutex
                                                                    • String ID: Rmc-VG9RMM
                                                                    • API String ID: 1925916568-2632747479
                                                                    • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                                                    • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                                                    • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                                                    • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                                                    Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                    • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EventObjectSingleWaitsend
                                                                    • String ID:
                                                                    • API String ID: 3963590051-0
                                                                    • Opcode ID: 80c7fea73abe22e7e454ca4c608e8bd367ca1317486abb7208023f805754322d
                                                                    • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                    • Opcode Fuzzy Hash: 80c7fea73abe22e7e454ca4c608e8bd367ca1317486abb7208023f805754322d
                                                                    • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                    Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                    • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                                                    • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                    • Opcode Fuzzy Hash: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                                                    • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                    Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                    • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                    • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                    • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                    • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                    Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                                                    • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                    • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                    • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                    • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                    Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                    • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                    • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                    • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                    • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                    Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                    • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                    • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue
                                                                    • String ID:
                                                                    • API String ID: 1818849710-0
                                                                    • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                    • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                    • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                    • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                    Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID: @
                                                                    • API String ID: 1890195054-2766056989
                                                                    • Opcode ID: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                    • Instruction ID: 3eac6c9810fdf3f5cdd4c6aee73cb3509883e52e26c84b2cc96e0464d85798e3
                                                                    • Opcode Fuzzy Hash: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                    • Instruction Fuzzy Hash: F6D017B58023189FC720DFA8E804A8DBBFCEB08210F00456AEC49E3300E770EC008B84
                                                                    Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00446227
                                                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap$_free
                                                                    • String ID:
                                                                    • API String ID: 1482568997-0
                                                                    • Opcode ID: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                                    • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                    • Opcode Fuzzy Hash: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                                    • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                    Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                      • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventStartupsocket
                                                                    • String ID:
                                                                    • API String ID: 1953588214-0
                                                                    • Opcode ID: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                    • Instruction ID: d30f6c82ceabff406a890a607b6903e59214fa94f63df9469096212d3e1caec2
                                                                    • Opcode Fuzzy Hash: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                    • Instruction Fuzzy Hash: F90171B1408B809ED7359F28A8456967FE0AB55304F044D6EF1DA97B92D3B5A881CB18
                                                                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                    • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                    • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                    • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                    Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 0041BB49
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$ForegroundText
                                                                    • String ID:
                                                                    • API String ID: 29597999-0
                                                                    • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                    • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                    • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                    • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                    Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • getaddrinfo.WS2_32(00000000,00000000,00000000,00472AF0,004750F4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                    • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                      • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                      • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                      • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                      • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                      • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                      • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                      • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                      • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                    • String ID:
                                                                    • API String ID: 1170566393-0
                                                                    • Opcode ID: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                    • Instruction ID: b2b0aefd8e35b341f4c894e58f46b645776b5e98a3349e02c71c7f637998c076
                                                                    • Opcode Fuzzy Hash: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                    • Instruction Fuzzy Hash: 9DD05B322005316BD310576D6C00FFB569EDFD7760B110037F404D3251DA949C8247AC
                                                                    Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                    • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                    • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                    • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                    Function 00409E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID:
                                                                    • API String ID: 176396367-0
                                                                    • Opcode ID: de129d127ca67ea1a753d85601f70d90f750fdfe4a2104a943af0387f97755ca
                                                                    • Instruction ID: d045c5f40cf3cd8d18dd0e016010c764e1ae3afdbf5b32035de166f485dbb4de
                                                                    • Opcode Fuzzy Hash: de129d127ca67ea1a753d85601f70d90f750fdfe4a2104a943af0387f97755ca
                                                                    • Instruction Fuzzy Hash: 681193319002059BCB15EF66E842AEE7BB5AF54314B10403FF446672E2EF78AD15CB98
                                                                    Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                    • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                    • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                    • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                    Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Startup
                                                                    • String ID:
                                                                    • API String ID: 724789610-0
                                                                    • Opcode ID: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                    • Instruction ID: 8755cd578eecc9cf916cb98f31ec890f8d4d8ec8e876fe09ba6f20fbb4fb2f80
                                                                    • Opcode Fuzzy Hash: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                    • Instruction Fuzzy Hash: 02D0123255C60CCED620ABB4AD0F8A4775CC717616F0403BA6CB5C26D7E6405A2DC2AB
                                                                    Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Deallocatestd::_
                                                                    • String ID:
                                                                    • API String ID: 1323251999-0
                                                                    • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                    • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                    • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                    • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                    Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: recv
                                                                    • String ID:
                                                                    • API String ID: 1507349165-0
                                                                    • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                    • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                    • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                    • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                    Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: send
                                                                    • String ID:
                                                                    • API String ID: 2809346765-0
                                                                    • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                    • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                    • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                    • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                    Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                    • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                    • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                    • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                    Non-executed Functions

                                                                    Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                                                    • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                                                    • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                                                    • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                    • CloseHandle.KERNEL32 ref: 00405A23
                                                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                                                    • CloseHandle.KERNEL32 ref: 00405A45
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                    • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                                                    • API String ID: 2994406822-3565532687
                                                                    • Opcode ID: 2941c8ad53f7323b291cdd827dcf5d644acb4b56ea3049643658da878b1305a4
                                                                    • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                                                    • Opcode Fuzzy Hash: 2941c8ad53f7323b291cdd827dcf5d644acb4b56ea3049643658da878b1305a4
                                                                    • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                                                    Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                      • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                                                      • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                                                      • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                      • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                      • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                      • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                      • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                    • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                      • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                    • String ID: (aF$8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                                                    • API String ID: 1067849700-1785547828
                                                                    • Opcode ID: 663df83fc78a1f4cc00baf3c0700fb30b29183e6e7368accdec73b1a4d1effaa
                                                                    • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                                                    • Opcode Fuzzy Hash: 663df83fc78a1f4cc00baf3c0700fb30b29183e6e7368accdec73b1a4d1effaa
                                                                    • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                                                    Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                      • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                      • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                      • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                    • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                    • String ID: (TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$RG
                                                                    • API String ID: 3018269243-1913798818
                                                                    • Opcode ID: 59c36cd5938545f1a1f240dfeccaea4fdfaec488e69936b44dccc71e2b46a8e1
                                                                    • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                                                    • Opcode Fuzzy Hash: 59c36cd5938545f1a1f240dfeccaea4fdfaec488e69936b44dccc71e2b46a8e1
                                                                    • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                                                    Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                    • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                    • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$CloseFile$FirstNext
                                                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                    • API String ID: 1164774033-3681987949
                                                                    • Opcode ID: 18342867f734f2841e669af5083de8c2dab1af7c47cb6c1de474c139f9f473ff
                                                                    • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                    • Opcode Fuzzy Hash: 18342867f734f2841e669af5083de8c2dab1af7c47cb6c1de474c139f9f473ff
                                                                    • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                    Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32 ref: 004168FD
                                                                    • EmptyClipboard.USER32 ref: 0041690B
                                                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                    • CloseClipboard.USER32 ref: 00416990
                                                                    • OpenClipboard.USER32 ref: 00416997
                                                                    • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                    • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                    • CloseClipboard.USER32 ref: 004169BF
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                    • String ID: !D@$xdF
                                                                    • API String ID: 3520204547-3540039394
                                                                    • Opcode ID: 39772432d56cfe4eb14fdac75839e1279500087a28f6359788c1c709076d09b9
                                                                    • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                                                    • Opcode Fuzzy Hash: 39772432d56cfe4eb14fdac75839e1279500087a28f6359788c1c709076d09b9
                                                                    • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                    Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                    • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF$RG
                                                                    • API String ID: 3756808967-1574553308
                                                                    • Opcode ID: 277d96cf34d7a1c9247649cf876a047f244a6c2fe09a2f639ae2f5cdf8dbe9f6
                                                                    • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                                                    • Opcode Fuzzy Hash: 277d96cf34d7a1c9247649cf876a047f244a6c2fe09a2f639ae2f5cdf8dbe9f6
                                                                    • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                    Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                    • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                    • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                    • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$Close$File$FirstNext
                                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                    • API String ID: 3527384056-432212279
                                                                    • Opcode ID: d80be7de76e7ea0c32fca0f5c326f19f203fb83dcddea2239218120f3223656a
                                                                    • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                    • Opcode Fuzzy Hash: d80be7de76e7ea0c32fca0f5c326f19f203fb83dcddea2239218120f3223656a
                                                                    • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                    Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                    • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                    • String ID:
                                                                    • API String ID: 297527592-0
                                                                    • Opcode ID: 99f17da9e7d54f956def1805155cc27ac6796c213d0ac5a717a51dbca6d250a6
                                                                    • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                                                    • Opcode Fuzzy Hash: 99f17da9e7d54f956def1805155cc27ac6796c213d0ac5a717a51dbca6d250a6
                                                                    • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                    Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0$1$2$3$4$5$6$7
                                                                    • API String ID: 0-3177665633
                                                                    • Opcode ID: 0a489d5e0e760ad1c7226f97b7491b422d815e77a9228981358e888a0221c37f
                                                                    • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                                                    • Opcode Fuzzy Hash: 0a489d5e0e760ad1c7226f97b7491b422d815e77a9228981358e888a0221c37f
                                                                    • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                    Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 0040A451
                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                    • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                    • GetKeyboardState.USER32(?), ref: 0040A479
                                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                    • String ID: (kG
                                                                    • API String ID: 1888522110-2813241365
                                                                    • Opcode ID: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                    • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                                                    • Opcode Fuzzy Hash: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                    • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                                                    Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                      • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                      • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                      • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                      • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                    • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                                                    • API String ID: 1589313981-3345310279
                                                                    • Opcode ID: 3fe2131d6966d0e8fad4210f3d5d8942d0d933674c477fe61e392911f7ba54a0
                                                                    • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                    • Opcode Fuzzy Hash: 3fe2131d6966d0e8fad4210f3d5d8942d0d933674c477fe61e392911f7ba54a0
                                                                    • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                    Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 0040755C
                                                                    • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Object_wcslen
                                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                    • API String ID: 240030777-3166923314
                                                                    • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                    • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                    • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                    • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                    Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                    • GetLastError.KERNEL32 ref: 0041A84C
                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                    • String ID:
                                                                    • API String ID: 3587775597-0
                                                                    • Opcode ID: 9816c30dbe394c6d524d412892c8543da7174021f6f617124b5cdd31ab9446d7
                                                                    • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                    • Opcode Fuzzy Hash: 9816c30dbe394c6d524d412892c8543da7174021f6f617124b5cdd31ab9446d7
                                                                    • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                    Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                    • String ID: JD$JD$JD
                                                                    • API String ID: 745075371-3517165026
                                                                    • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                    • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                    • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                    • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                    Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                    • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                    • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$CloseFile$FirstNext
                                                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                    • API String ID: 1164774033-405221262
                                                                    • Opcode ID: 21e961ad14d8706e1764f249261524b51ee598c5394bc24aaf15d08685e82473
                                                                    • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                    • Opcode Fuzzy Hash: 21e961ad14d8706e1764f249261524b51ee598c5394bc24aaf15d08685e82473
                                                                    • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                    Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C41F
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C42C
                                                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C44D
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C473
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                    • String ID:
                                                                    • API String ID: 2341273852-0
                                                                    • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                    • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                    • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                    • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                    Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                    • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                    • GetLastError.KERNEL32 ref: 0040A328
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                    • TranslateMessage.USER32(?), ref: 0040A385
                                                                    • DispatchMessageA.USER32(?), ref: 0040A390
                                                                    Strings
                                                                    • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                    • String ID: Keylogger initialization failure: error
                                                                    • API String ID: 3219506041-952744263
                                                                    • Opcode ID: c5b21aee106db64297f83d83fb53438447821f65483e7369ff3a1db3786c8b7d
                                                                    • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                                                    • Opcode Fuzzy Hash: c5b21aee106db64297f83d83fb53438447821f65483e7369ff3a1db3786c8b7d
                                                                    • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                                                    Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                    • API String ID: 2127411465-314212984
                                                                    • Opcode ID: c69769d582df06bbb63f54f4621ea7cbe301890064e0651883800ca005cdaafa
                                                                    • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                                                    • Opcode Fuzzy Hash: c69769d582df06bbb63f54f4621ea7cbe301890064e0651883800ca005cdaafa
                                                                    • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                                                    Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00449292
                                                                    • _free.LIBCMT ref: 004492B6
                                                                    • _free.LIBCMT ref: 0044943D
                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                    • _free.LIBCMT ref: 00449609
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                    • String ID:
                                                                    • API String ID: 314583886-0
                                                                    • Opcode ID: 71e5bba2b7b351388bd39f154d25f2104176610652312e7e643454e051ac170f
                                                                    • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                    • Opcode Fuzzy Hash: 71e5bba2b7b351388bd39f154d25f2104176610652312e7e643454e051ac170f
                                                                    • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                    Function 00419B86 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Find$CreateFirstNext
                                                                    • String ID: 8eF$HSG$`XG$`XG
                                                                    • API String ID: 341183262-1600017543
                                                                    • Opcode ID: cb15ae118b132379f8e16cf20f80b5d5bbb8a4d431a3c348f681fbadb84ec924
                                                                    • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                                                    • Opcode Fuzzy Hash: cb15ae118b132379f8e16cf20f80b5d5bbb8a4d431a3c348f681fbadb84ec924
                                                                    • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                    Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                    Strings
                                                                    • open, xrefs: 00406FF1
                                                                    • 0aF, xrefs: 0040712C
                                                                    • 0aF, xrefs: 0040701B
                                                                    • C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, xrefs: 00407042, 0040716A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DownloadExecuteFileShell
                                                                    • String ID: 0aF$0aF$C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$open
                                                                    • API String ID: 2825088817-1053729833
                                                                    • Opcode ID: 7bd21f110e5793b85c0d4b79f27bfd3322c66a34f4ba08d1613cb0fc1a691d32
                                                                    • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                                                    • Opcode Fuzzy Hash: 7bd21f110e5793b85c0d4b79f27bfd3322c66a34f4ba08d1613cb0fc1a691d32
                                                                    • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                                                    Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 0040884C
                                                                    • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                    • String ID: xdF
                                                                    • API String ID: 1771804793-999140092
                                                                    • Opcode ID: e48f18df1af907a68e3b1ed3ee6c74fcd671838186bd9ee51fa1bb39b7e3a7ba
                                                                    • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                                                    • Opcode Fuzzy Hash: e48f18df1af907a68e3b1ed3ee6c74fcd671838186bd9ee51fa1bb39b7e3a7ba
                                                                    • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                                                    Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                    • GetLastError.KERNEL32 ref: 0040BA93
                                                                    Strings
                                                                    • UserProfile, xrefs: 0040BA59
                                                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                    • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteErrorFileLast
                                                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                    • API String ID: 2018770650-1062637481
                                                                    • Opcode ID: f735e23f7dcfc65e86eae542564970378c4dfd97017e1c5c6a7a7620e2e54c45
                                                                    • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                    • Opcode Fuzzy Hash: f735e23f7dcfc65e86eae542564970378c4dfd97017e1c5c6a7a7620e2e54c45
                                                                    • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                    Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                    • GetLastError.KERNEL32 ref: 004179D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                    • String ID: SeShutdownPrivilege
                                                                    • API String ID: 3534403312-3733053543
                                                                    • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                    • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                    • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                    • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                    Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __floor_pentium4
                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                    • API String ID: 4168288129-2761157908
                                                                    • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                    • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                                    • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                    • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                                    Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00409293
                                                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,0076B358,00000010), ref: 004048E0
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                    • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                      • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                    • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                    • String ID:
                                                                    • API String ID: 1824512719-0
                                                                    • Opcode ID: b2b434ce7426053d64b7d7204c7279a561b4afbf635646bc6f585a4d2455e9bc
                                                                    • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                                                    • Opcode Fuzzy Hash: b2b434ce7426053d64b7d7204c7279a561b4afbf635646bc6f585a4d2455e9bc
                                                                    • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                    Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                                                    • String ID:
                                                                    • API String ID: 276877138-0
                                                                    • Opcode ID: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                                                    • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                    • Opcode Fuzzy Hash: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                                                    • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                    Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                    • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                    • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                    • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                    • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                    Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNextsend
                                                                    • String ID: 8eF$hPG$hPG
                                                                    • API String ID: 4113138495-2076665626
                                                                    • Opcode ID: 893ffb8061db401729f059bf76d963133d717403b9007ffbb2d11b7cae451ab6
                                                                    • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                                                    • Opcode Fuzzy Hash: 893ffb8061db401729f059bf76d963133d717403b9007ffbb2d11b7cae451ab6
                                                                    • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                                                    Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                      • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                      • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                      • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                                    • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                    • API String ID: 4127273184-3126330168
                                                                    • Opcode ID: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                                                    • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                    • Opcode Fuzzy Hash: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                                                    • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                    Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                    • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                    • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                    • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                    • String ID: SETTINGS
                                                                    • API String ID: 3473537107-594951305
                                                                    • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                    • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                                                    • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                    • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                                                    Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 004096A5
                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                                    • String ID:
                                                                    • API String ID: 1157919129-0
                                                                    • Opcode ID: de8d8d0edd5d8a61424aad092ce358860c9bac6e1758b4239eab40e65a7e58a3
                                                                    • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                                                    • Opcode Fuzzy Hash: de8d8d0edd5d8a61424aad092ce358860c9bac6e1758b4239eab40e65a7e58a3
                                                                    • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                    Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                    • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                    • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                    • String ID:
                                                                    • API String ID: 4212172061-0
                                                                    • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                    • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                    • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                    • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                    Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                    • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                    • String ID: p'E$JD
                                                                    • API String ID: 1084509184-908320845
                                                                    • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                    • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                    • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                    • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                    Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 2829624132-0
                                                                    • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                    • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                    • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                    • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                    Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                    • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                    • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                    • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                    Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                    • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                    • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                    • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                    Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                    • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                    • ExitProcess.KERNEL32 ref: 0044338F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                    • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                    • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                    • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                    Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                    • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                    • ExitProcess.KERNEL32 ref: 10004AEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                    • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                    • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                    • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                    Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                    • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                    • CloseClipboard.USER32 ref: 0040B760
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$CloseDataOpen
                                                                    • String ID:
                                                                    • API String ID: 2058664381-0
                                                                    • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                    • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                    • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                    • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                    Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                    • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                    • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseHandleOpenResume
                                                                    • String ID:
                                                                    • API String ID: 3614150671-0
                                                                    • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                    • Instruction ID: dbaabbb0ea2570487ff62d8cf89bd30b477e7113d13ca21b8680662729a76e86
                                                                    • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                    • Instruction Fuzzy Hash: 66D05E36204121E3C320176A7C0CD97AD68DBC5AA2705412AF804C26649A60CC0186E4
                                                                    Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                    • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                    • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseHandleOpenSuspend
                                                                    • String ID:
                                                                    • API String ID: 1999457699-0
                                                                    • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                                                    • Instruction ID: 1e4755145751be78863ec26184204985b99a3e1fec7ed1e2fa2d7a7f5aac3163
                                                                    • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                                                    • Instruction Fuzzy Hash: 73D05E36104121E3C6211B6A7C0CD97AD68DFC5AA2705412AF904D26509A20CC0186E4
                                                                    Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FeaturePresentProcessor
                                                                    • String ID: MZ@
                                                                    • API String ID: 2325560087-2978689999
                                                                    • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                    • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                    • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                    • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                    Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                    • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                    • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                    • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                    Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                    • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                    • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                    • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                    Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                    • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                    • String ID: JD
                                                                    • API String ID: 1084509184-2669065882
                                                                    • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                    • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                    • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                    • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                    Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: GetLocaleInfoEx
                                                                    • API String ID: 2299586839-2904428671
                                                                    • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                    • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                    • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                    • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                    Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                    • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                    • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                    • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                    Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionRaise
                                                                    • String ID:
                                                                    • API String ID: 3997070919-0
                                                                    • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                    • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                                    • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                    • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                                    Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionRaise
                                                                    • String ID:
                                                                    • API String ID: 3997070919-0
                                                                    • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                    • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                    • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                    • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                    Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0
                                                                    • API String ID: 0-4108050209
                                                                    • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                    • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                                    • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                    • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                                    Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                                                    • String ID:
                                                                    • API String ID: 1663032902-0
                                                                    • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                    • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                    • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                    • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                    Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$InfoLocale_abort_free
                                                                    • String ID:
                                                                    • API String ID: 2692324296-0
                                                                    • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                    • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                    • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                    • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                    Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                    • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                    • String ID:
                                                                    • API String ID: 1272433827-0
                                                                    • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                    • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                    • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                    • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                    Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                    • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                    • String ID:
                                                                    • API String ID: 1084509184-0
                                                                    • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                    • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                    • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                    • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                    Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                    • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                    • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 0043E34B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RGw@
                                                                    • API String ID: 0-316194375
                                                                    • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                    • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                                    • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                    • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                                    Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                    • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                                    • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                    • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                                    Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                    • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                    • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                    • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                    Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                    • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                                    • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                    • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                                    Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                    • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                                    • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                    • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                                    Function 0042742E Relevance: .4, Instructions: 435COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                    • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                                    • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                    • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                                    Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                    • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                                    • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                    • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                                    Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                                    Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                                    Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                    • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                    • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                                    Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                                    Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                    • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                                    • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                    • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                                    Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                    • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                                    • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                    • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                                    Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                    • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                                    • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                    • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                                    Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                    • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                    • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                                    Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                    • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                                    • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                    • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                                    Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                    • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                    • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                                    Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                      • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                    • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                    • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                    • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                    • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                    • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                    • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                    • DeleteObject.GDI32(?), ref: 00419027
                                                                    • DeleteObject.GDI32(?), ref: 00419034
                                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                    • DeleteDC.GDI32(?), ref: 004191B7
                                                                    • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                    • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                    • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                    • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                    • GlobalFree.KERNEL32(?), ref: 00419283
                                                                    • DeleteDC.GDI32(?), ref: 00419293
                                                                    • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                    • String ID: DISPLAY
                                                                    • API String ID: 4256916514-865373369
                                                                    • Opcode ID: f9e65dbfa61e51f6a49948392e74cf52d1b74234f8e5b27367180c65f1131f64
                                                                    • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                                                    • Opcode Fuzzy Hash: f9e65dbfa61e51f6a49948392e74cf52d1b74234f8e5b27367180c65f1131f64
                                                                    • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                    Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                      • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                      • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                    • ExitProcess.KERNEL32 ref: 0040D80B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                    • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("$xdF$xpF
                                                                    • API String ID: 1861856835-1567776996
                                                                    • Opcode ID: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                                                    • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                                                    • Opcode Fuzzy Hash: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                                                    • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                                                    Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                      • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                    • ExitProcess.KERNEL32 ref: 0040D454
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                    • String ID: ")$.vbs$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xdF$xpF
                                                                    • API String ID: 3797177996-4161133245
                                                                    • Opcode ID: e15819e857d9987a51c00828583a567b15247957f90308f654141713cde74a36
                                                                    • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                                                    • Opcode Fuzzy Hash: e15819e857d9987a51c00828583a567b15247957f90308f654141713cde74a36
                                                                    • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                                                    Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                                                    • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                    • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                    • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                      • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                    • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                    • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                    • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                                                    • API String ID: 2649220323-4116078715
                                                                    • Opcode ID: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                                                    • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                                                    • Opcode Fuzzy Hash: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                                                    • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                                                    Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                    • SetEvent.KERNEL32 ref: 0041B2AA
                                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                    • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                    • API String ID: 738084811-1354618412
                                                                    • Opcode ID: 2b11b628c45eca99bb5b49995ec9e5e18930bda2377682f573c436d8876ee9d7
                                                                    • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                                                    • Opcode Fuzzy Hash: 2b11b628c45eca99bb5b49995ec9e5e18930bda2377682f573c436d8876ee9d7
                                                                    • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                                                    Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                                                    • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                                                    • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                                                    • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Write$Create
                                                                    • String ID: RIFF$WAVE$data$fmt
                                                                    • API String ID: 1602526932-4212202414
                                                                    • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                    • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                                                    • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                    • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                                                    Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000003,004076B0,004752E8,00407709), ref: 004072BF
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                    • API String ID: 1646373207-806958351
                                                                    • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                    • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                                                    • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                    • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                                                    Function 0040CE34 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 0040CE42
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                    • _wcslen.LIBCMT ref: 0040CF21
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                    • _wcslen.LIBCMT ref: 0040D001
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                    • ExitProcess.KERNEL32 ref: 0040D09D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                    • String ID: 6$C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$del$open$xdF$RG$RG
                                                                    • API String ID: 1579085052-147516134
                                                                    • Opcode ID: a676cd901b7bd79e7cee4fd0be3e685eae181f7aa0e3581a73b5b0b2dfd9b902
                                                                    • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                                                    • Opcode Fuzzy Hash: a676cd901b7bd79e7cee4fd0be3e685eae181f7aa0e3581a73b5b0b2dfd9b902
                                                                    • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                                                    Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                      • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                      • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                    • _strlen.LIBCMT ref: 10001855
                                                                    • _strlen.LIBCMT ref: 10001869
                                                                    • _strlen.LIBCMT ref: 1000188B
                                                                    • _strlen.LIBCMT ref: 100018AE
                                                                    • _strlen.LIBCMT ref: 100018C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                    • API String ID: 3296212668-3023110444
                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                    Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                    • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                    • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                    • _wcslen.LIBCMT ref: 0041C1CC
                                                                    • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                    • GetLastError.KERNEL32 ref: 0041C204
                                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                    • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                    • GetLastError.KERNEL32 ref: 0041C261
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                    • String ID: ?
                                                                    • API String ID: 3941738427-1684325040
                                                                    • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                    • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                    • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                    • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                    Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                    • API String ID: 4218353326-230879103
                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                    Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                                    • String ID:
                                                                    • API String ID: 3899193279-0
                                                                    • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                    • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                    • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                    • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                    Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                    • GetCursorPos.USER32(?), ref: 0041D67A
                                                                    • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                    • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                                                    • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                    • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                    • String ID: Close
                                                                    • API String ID: 1657328048-3535843008
                                                                    • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                    • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                                                    • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                    • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                                                    Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$Info
                                                                    • String ID:
                                                                    • API String ID: 2509303402-0
                                                                    • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                    • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                    • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                    • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                    Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                    • __aulldiv.LIBCMT ref: 00408D88
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF
                                                                    • API String ID: 3086580692-731956494
                                                                    • Opcode ID: 9db4e91b95c76e5edbd292d4baa53beaf22e3459b4768787c96c6f20b69a6f91
                                                                    • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                                                    • Opcode Fuzzy Hash: 9db4e91b95c76e5edbd292d4baa53beaf22e3459b4768787c96c6f20b69a6f91
                                                                    • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                                                    Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                      • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                      • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                      • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                    • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open$xdF
                                                                    • API String ID: 1913171305-3121233398
                                                                    • Opcode ID: ea53210127afbc95078edb33410f87b374f1afdd9874f35c0ce5cc0d7b4dc831
                                                                    • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                                                    • Opcode Fuzzy Hash: ea53210127afbc95078edb33410f87b374f1afdd9874f35c0ce5cc0d7b4dc831
                                                                    • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                                                    Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                    • String ID: \ws2_32$\wship6$getaddrinfo
                                                                    • API String ID: 2490988753-3078833738
                                                                    • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                    • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                                                    • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                    • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                                                    Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                    • _free.LIBCMT ref: 0045137F
                                                                      • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                    • _free.LIBCMT ref: 004513A1
                                                                    • _free.LIBCMT ref: 004513B6
                                                                    • _free.LIBCMT ref: 004513C1
                                                                    • _free.LIBCMT ref: 004513E3
                                                                    • _free.LIBCMT ref: 004513F6
                                                                    • _free.LIBCMT ref: 00451404
                                                                    • _free.LIBCMT ref: 0045140F
                                                                    • _free.LIBCMT ref: 00451447
                                                                    • _free.LIBCMT ref: 0045144E
                                                                    • _free.LIBCMT ref: 0045146B
                                                                    • _free.LIBCMT ref: 00451483
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                    • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                    • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                    Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                    • _free.LIBCMT ref: 10007CFB
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 10007D1D
                                                                    • _free.LIBCMT ref: 10007D32
                                                                    • _free.LIBCMT ref: 10007D3D
                                                                    • _free.LIBCMT ref: 10007D5F
                                                                    • _free.LIBCMT ref: 10007D72
                                                                    • _free.LIBCMT ref: 10007D80
                                                                    • _free.LIBCMT ref: 10007D8B
                                                                    • _free.LIBCMT ref: 10007DC3
                                                                    • _free.LIBCMT ref: 10007DCA
                                                                    • _free.LIBCMT ref: 10007DE7
                                                                    • _free.LIBCMT ref: 10007DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                    • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                    • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                    • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                    Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                    • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                    • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                    • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                    Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                    • GetLastError.KERNEL32 ref: 00455D6F
                                                                    • __dosmaperr.LIBCMT ref: 00455D76
                                                                    • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                    • GetLastError.KERNEL32 ref: 00455D8C
                                                                    • __dosmaperr.LIBCMT ref: 00455D95
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                    • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                    • GetLastError.KERNEL32 ref: 00455F31
                                                                    • __dosmaperr.LIBCMT ref: 00455F38
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                    • String ID: H
                                                                    • API String ID: 4237864984-2852464175
                                                                    • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                    • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                    • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                    • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                    Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: \&G$\&G$`&G
                                                                    • API String ID: 269201875-253610517
                                                                    • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                    • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                    • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                    • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                    Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 65535$udp
                                                                    • API String ID: 0-1267037602
                                                                    • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                    • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                    • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                    • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                    Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                    • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                    • GetForegroundWindow.USER32 ref: 0040AD84
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                    • String ID: [${ User has been idle for $ minutes }$]
                                                                    • API String ID: 911427763-3954389425
                                                                    • Opcode ID: 860293993ee6fe711b34b55e24da4e9031202fc9cdab99022280a117dabfe14f
                                                                    • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                                                    • Opcode Fuzzy Hash: 860293993ee6fe711b34b55e24da4e9031202fc9cdab99022280a117dabfe14f
                                                                    • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F
                                                                    Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32 ref: 0041697C
                                                                    • EmptyClipboard.USER32 ref: 0041698A
                                                                    • CloseClipboard.USER32 ref: 00416990
                                                                    • OpenClipboard.USER32 ref: 00416997
                                                                    • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                    • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                    • CloseClipboard.USER32 ref: 004169BF
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                    • String ID: !D@$xdF
                                                                    • API String ID: 2172192267-3540039394
                                                                    • Opcode ID: b4eebd8064e1d3ae19988ffe7f9e4a79f94da60c764102ad9dda3ddd019c80b2
                                                                    • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                                                    • Opcode Fuzzy Hash: b4eebd8064e1d3ae19988ffe7f9e4a79f94da60c764102ad9dda3ddd019c80b2
                                                                    • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                    Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                    • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                    • __dosmaperr.LIBCMT ref: 0043A926
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                    • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                    • __dosmaperr.LIBCMT ref: 0043A963
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                    • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                    • _free.LIBCMT ref: 0043A9C3
                                                                    • _free.LIBCMT ref: 0043A9CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                    • String ID:
                                                                    • API String ID: 2441525078-0
                                                                    • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                    • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                    • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                    • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                    Function 0040A761 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                      • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                      • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                      • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                      • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                    • String ID: HSG$HSG$xdF
                                                                    • API String ID: 3795512280-1850865910
                                                                    • Opcode ID: 0400afea1f5a00dd62ea3da6076e8e1c1b71d3f85647d7dba7c26e7eb2bec04a
                                                                    • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                                                    • Opcode Fuzzy Hash: 0400afea1f5a00dd62ea3da6076e8e1c1b71d3f85647d7dba7c26e7eb2bec04a
                                                                    • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E
                                                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                    • TranslateMessage.USER32(?), ref: 0040557E
                                                                    • DispatchMessageA.USER32(?), ref: 00405589
                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                                    • API String ID: 2956720200-749203953
                                                                    • Opcode ID: bed857edb3d4d0d9e4dc7e504f636de3257c1cfa59406722444ef7f76ec7c0b4
                                                                    • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                                                    • Opcode Fuzzy Hash: bed857edb3d4d0d9e4dc7e504f636de3257c1cfa59406722444ef7f76ec7c0b4
                                                                    • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                                                    Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                    • String ID: <$@$@VG$@VG$Temp
                                                                    • API String ID: 1704390241-1291085672
                                                                    • Opcode ID: 729328760b6d8754d2d8465bacbdfac456b4ffc36ce0e0137ca47fd0a7c35a22
                                                                    • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                                                    • Opcode Fuzzy Hash: 729328760b6d8754d2d8465bacbdfac456b4ffc36ce0e0137ca47fd0a7c35a22
                                                                    • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                    Function 004073E7 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00472B28,00000000,RGw@,00003000,00000004,00000000,00000001), ref: 00407418
                                                                    • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe), ref: 004074D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentProcess
                                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$RGw@
                                                                    • API String ID: 2050909247-1783200977
                                                                    • Opcode ID: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                                                    • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                                                    • Opcode Fuzzy Hash: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                                                    • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                                                    Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                    • int.LIBCPMT ref: 00410EBC
                                                                      • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                      • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                    • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                    • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                    • String ID: <kG$@!G$@kG
                                                                    • API String ID: 3815856325-4100743575
                                                                    • Opcode ID: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                                                    • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                                                    • Opcode Fuzzy Hash: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                                                    • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                                                    Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                                                    • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                    • Opcode Fuzzy Hash: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                                                    • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                    Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 004481B5
                                                                      • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                    • _free.LIBCMT ref: 004481C1
                                                                    • _free.LIBCMT ref: 004481CC
                                                                    • _free.LIBCMT ref: 004481D7
                                                                    • _free.LIBCMT ref: 004481E2
                                                                    • _free.LIBCMT ref: 004481ED
                                                                    • _free.LIBCMT ref: 004481F8
                                                                    • _free.LIBCMT ref: 00448203
                                                                    • _free.LIBCMT ref: 0044820E
                                                                    • _free.LIBCMT ref: 0044821C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                    • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                    • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                    • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                    Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 100059EA
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 100059F6
                                                                    • _free.LIBCMT ref: 10005A01
                                                                    • _free.LIBCMT ref: 10005A0C
                                                                    • _free.LIBCMT ref: 10005A17
                                                                    • _free.LIBCMT ref: 10005A22
                                                                    • _free.LIBCMT ref: 10005A2D
                                                                    • _free.LIBCMT ref: 10005A38
                                                                    • _free.LIBCMT ref: 10005A43
                                                                    • _free.LIBCMT ref: 10005A51
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                    • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                    • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                    • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                    Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                    Strings
                                                                    • DisplayName, xrefs: 0041C7CD
                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnumOpen
                                                                    • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                    • API String ID: 1332880857-3614651759
                                                                    • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                                                    • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                    • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                                                    • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                    Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 0041A04A
                                                                    • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                    • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                    • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                    • API String ID: 489098229-3790400642
                                                                    • Opcode ID: 5919f3c6d8937f10c9d3a57548d59e68e1aceb692d4a34d8b1fbfbe8317266ff
                                                                    • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                                                    • Opcode Fuzzy Hash: 5919f3c6d8937f10c9d3a57548d59e68e1aceb692d4a34d8b1fbfbe8317266ff
                                                                    • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                                                    Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                    • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                    • API String ID: 1462127192-2001430897
                                                                    • Opcode ID: 7ae9b88ac44d9fae8c6f8244a54d471a9f83dcca97fe4f246c0da79332dd2308
                                                                    • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                                                    • Opcode Fuzzy Hash: 7ae9b88ac44d9fae8c6f8244a54d471a9f83dcca97fe4f246c0da79332dd2308
                                                                    • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                                                    Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                      • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                      • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                      • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                    • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                                                    • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                                                    • TranslateMessage.USER32(?), ref: 0041D57A
                                                                    • DispatchMessageA.USER32(?), ref: 0041D584
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                    • String ID: Remcos
                                                                    • API String ID: 1970332568-165870891
                                                                    • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                    • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                                                    • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                    • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                                                    Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                    • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                    • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                    • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                    Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                    • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                    • __alloca_probe_16.LIBCMT ref: 00454014
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                    • __freea.LIBCMT ref: 00454083
                                                                    • __freea.LIBCMT ref: 0045408F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                    • String ID:
                                                                    • API String ID: 201697637-0
                                                                    • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                    • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                    • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                    • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                    Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 1454806937-0
                                                                    • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                    • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                    • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                    • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                    Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                    • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                    • _free.LIBCMT ref: 00445515
                                                                    • _free.LIBCMT ref: 0044552E
                                                                    • _free.LIBCMT ref: 00445560
                                                                    • _free.LIBCMT ref: 00445569
                                                                    • _free.LIBCMT ref: 00445575
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                                    • String ID: C
                                                                    • API String ID: 1679612858-1037565863
                                                                    • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                    • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                    • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                    • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                    Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: tcp$udp
                                                                    • API String ID: 0-3725065008
                                                                    • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                    • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                    • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                    • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                    Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Eventinet_ntoa
                                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                    • API String ID: 3578746661-168337528
                                                                    • Opcode ID: 6d28489afd2ef05e10e175e6f533878534547e3145ea4d9c79538d57604b913b
                                                                    • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                                                    • Opcode Fuzzy Hash: 6d28489afd2ef05e10e175e6f533878534547e3145ea4d9c79538d57604b913b
                                                                    • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                                                    Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474F08,00404C49,00000000,00000000,00000000,?,00474F08,?), ref: 00404BA5
                                                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                    • String ID: .part
                                                                    • API String ID: 1303771098-3499674018
                                                                    • Opcode ID: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                                                    • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                    • Opcode Fuzzy Hash: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                                                    • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                    Function 00401B8F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strftime.LIBCMT ref: 00401BD4
                                                                      • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                    • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                                                    • API String ID: 3809562944-3627046146
                                                                    • Opcode ID: f217577dce8cc6f6c7ee3c0eb123ea9d824183a499dfddb96fb1e5157d8eeec6
                                                                    • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                                                    • Opcode Fuzzy Hash: f217577dce8cc6f6c7ee3c0eb123ea9d824183a499dfddb96fb1e5157d8eeec6
                                                                    • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                                                    Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                    • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Console$Window$AllocOutputShow
                                                                    • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                                                    • API String ID: 4067487056-793934204
                                                                    • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                    • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                                                    • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                    • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                                                    Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Rmc-VG9RMM, xrefs: 00407715
                                                                    • xdF, xrefs: 004076E4
                                                                    • RG, xrefs: 004076DF
                                                                    • C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, xrefs: 004076FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$Rmc-VG9RMM$xdF$RG
                                                                    • API String ID: 0-3004078393
                                                                    • Opcode ID: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                                                    • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                                                    • Opcode Fuzzy Hash: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                                                    • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                                                    Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                    • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                    • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                    • __freea.LIBCMT ref: 0044AEB0
                                                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    • __freea.LIBCMT ref: 0044AEB9
                                                                    • __freea.LIBCMT ref: 0044AEDE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 3864826663-0
                                                                    • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                    • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                    • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                    • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                    Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendInput.USER32 ref: 00419A25
                                                                    • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                    • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                      • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InputSend$Virtual
                                                                    • String ID:
                                                                    • API String ID: 1167301434-0
                                                                    • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                    • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                    • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                    • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                    Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __freea$__alloca_probe_16_free
                                                                    • String ID: a/p$am/pm$h{D
                                                                    • API String ID: 2936374016-2303565833
                                                                    • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                    • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                    • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                    • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                    Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    • _free.LIBCMT ref: 00444E87
                                                                    • _free.LIBCMT ref: 00444E9E
                                                                    • _free.LIBCMT ref: 00444EBD
                                                                    • _free.LIBCMT ref: 00444ED8
                                                                    • _free.LIBCMT ref: 00444EEF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$AllocateHeap
                                                                    • String ID: KED
                                                                    • API String ID: 3033488037-2133951994
                                                                    • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                    • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                    • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                    • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                    Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                    • __fassign.LIBCMT ref: 0044B4F9
                                                                    • __fassign.LIBCMT ref: 0044B514
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                    • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                    • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                    • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                    • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                    Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                    • __fassign.LIBCMT ref: 1000954F
                                                                    • __fassign.LIBCMT ref: 1000956A
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                    • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                    • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                    • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                    • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                    • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                    Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                    • ExitThread.KERNEL32 ref: 004018F6
                                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                    • String ID: `kG$hMG$kG
                                                                    • API String ID: 1649129571-3851552405
                                                                    • Opcode ID: 10666973e5e8ff75b0c1cd0af232efa1b370be224fd78eecddfd37fa2d69484e
                                                                    • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                                                    • Opcode Fuzzy Hash: 10666973e5e8ff75b0c1cd0af232efa1b370be224fd78eecddfd37fa2d69484e
                                                                    • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                                                    Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                    • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                    • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                    • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                    Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                                                      • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                      • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                      • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                    • _wcslen.LIBCMT ref: 0041B7F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                    • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                                                    • API String ID: 3286818993-930133217
                                                                    • Opcode ID: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                                                    • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                    • Opcode Fuzzy Hash: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                                                    • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                    Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                      • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                      • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                    • API String ID: 1133728706-4073444585
                                                                    • Opcode ID: 8584a8e929dd88755208e5dc6c929038a2b3d03118b5dfc9d3733d7f14428daa
                                                                    • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                                                    • Opcode Fuzzy Hash: 8584a8e929dd88755208e5dc6c929038a2b3d03118b5dfc9d3733d7f14428daa
                                                                    • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                                                    Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                    • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                    • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                    • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                    Function 00401A6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                                                    • waveInStart.WINMM ref: 00401B82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                    • String ID: tMG
                                                                    • API String ID: 1356121797-30866661
                                                                    • Opcode ID: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                                                    • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                                                    • Opcode Fuzzy Hash: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                                                    • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                                                    Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$CreatePointerWrite
                                                                    • String ID: xpF
                                                                    • API String ID: 1852769593-354647465
                                                                    • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                    • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                    • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                    • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                    Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                    • _free.LIBCMT ref: 00450FC8
                                                                      • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                    • _free.LIBCMT ref: 00450FD3
                                                                    • _free.LIBCMT ref: 00450FDE
                                                                    • _free.LIBCMT ref: 00451032
                                                                    • _free.LIBCMT ref: 0045103D
                                                                    • _free.LIBCMT ref: 00451048
                                                                    • _free.LIBCMT ref: 00451053
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                    • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                    • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                    Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                    • _free.LIBCMT ref: 100092AB
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 100092B6
                                                                    • _free.LIBCMT ref: 100092C1
                                                                    • _free.LIBCMT ref: 10009315
                                                                    • _free.LIBCMT ref: 10009320
                                                                    • _free.LIBCMT ref: 1000932B
                                                                    • _free.LIBCMT ref: 10009336
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                    Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                    • int.LIBCPMT ref: 004111BE
                                                                      • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                      • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                    • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                    • String ID: 8mG
                                                                    • API String ID: 2536120697-3990007011
                                                                    • Opcode ID: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                    • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                                                    • Opcode Fuzzy Hash: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                    • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                                                    Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                    • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                    • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                    • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                    • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                    Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe), ref: 0040760B
                                                                      • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                      • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                    • CoUninitialize.OLE32 ref: 00407664
                                                                    Strings
                                                                    • C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                                                    • [+] before ShellExec, xrefs: 0040762C
                                                                    • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                                                    • [+] ShellExec success, xrefs: 00407649
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                                    • String ID: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                    • API String ID: 3851391207-2036957079
                                                                    • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                    • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                    • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                    • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                    Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                    • GetLastError.KERNEL32 ref: 0040BB22
                                                                    Strings
                                                                    • UserProfile, xrefs: 0040BAE8
                                                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                    • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteErrorFileLast
                                                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                    • API String ID: 2018770650-304995407
                                                                    • Opcode ID: 2ad7dee9e06ba03f91c1086a73cfdb7f7db0bc088c83d68740cfc9fbf4b43286
                                                                    • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                    • Opcode Fuzzy Hash: 2ad7dee9e06ba03f91c1086a73cfdb7f7db0bc088c83d68740cfc9fbf4b43286
                                                                    • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                    Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __allrem.LIBCMT ref: 0043ACE9
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                    • __allrem.LIBCMT ref: 0043AD1C
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                    • __allrem.LIBCMT ref: 0043AD51
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 1992179935-0
                                                                    • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                    • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                    • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                    • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                    Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                    • __freea.LIBCMT ref: 10008A08
                                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                    • __freea.LIBCMT ref: 10008A11
                                                                    • __freea.LIBCMT ref: 10008A36
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1414292761-0
                                                                    • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                    • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                    • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                    • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prologSleep
                                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                                                    • API String ID: 3469354165-985523790
                                                                    • Opcode ID: b3230379ab73ca867e627d7e1538a226106f9394170f61bd640f87d599c2b3dc
                                                                    • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                                                    • Opcode Fuzzy Hash: b3230379ab73ca867e627d7e1538a226106f9394170f61bd640f87d599c2b3dc
                                                                    • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                                                    Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __cftoe
                                                                    • String ID:
                                                                    • API String ID: 4189289331-0
                                                                    • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                    • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                    • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                    • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                    Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strlen.LIBCMT ref: 10001607
                                                                    • _strcat.LIBCMT ref: 1000161D
                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                    • String ID:
                                                                    • API String ID: 1922816806-0
                                                                    • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                    • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                    • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                    • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                    Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                    • String ID:
                                                                    • API String ID: 3594823470-0
                                                                    • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                    • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                    • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                    • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                    Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                    • String ID:
                                                                    • API String ID: 493672254-0
                                                                    • Opcode ID: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                                                    • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                    • Opcode Fuzzy Hash: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                                                    • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                    Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                    • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                    • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                    • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                    • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                    Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                    • _free.LIBCMT ref: 004482CC
                                                                    • _free.LIBCMT ref: 004482F4
                                                                    • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                    • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                    • _abort.LIBCMT ref: 00448313
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                    • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                    • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                    • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                    Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                    • _free.LIBCMT ref: 10005B2D
                                                                    • _free.LIBCMT ref: 10005B55
                                                                    • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                    • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                    • _abort.LIBCMT ref: 10005B74
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                    • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                    • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                    • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                    Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                                                    • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                    • Opcode Fuzzy Hash: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                                                    • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                    Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                                                    • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                    • Opcode Fuzzy Hash: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                                                    • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                    Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                                                    • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                    • Opcode Fuzzy Hash: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                                                    • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                    Function 00413D48 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                      • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                      • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                    • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnumInfoOpenQuerysend
                                                                    • String ID: (aF$,aF$xdF
                                                                    • API String ID: 3114080316-1322504040
                                                                    • Opcode ID: 7972ed121b837dc5777eab2f7b5719ec2524166ce1df85a3284417a8347daeba
                                                                    • Instruction ID: 9135d8dbad86ad48596e871537d7b2906c3d36c2a7f97e2d86650b4d09e6d137
                                                                    • Opcode Fuzzy Hash: 7972ed121b837dc5777eab2f7b5719ec2524166ce1df85a3284417a8347daeba
                                                                    • Instruction Fuzzy Hash: E341A0316082406AC324FB26D852AEF72A59FD1348F80883FF54A671D6EF7C5D49866E
                                                                    Function 004434D5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000104), ref: 00443515
                                                                    • _free.LIBCMT ref: 004435E0
                                                                    • _free.LIBCMT ref: 004435EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: 8(s$C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                    • API String ID: 2506810119-2205699384
                                                                    • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                    • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                    • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                    • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                    Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                      • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                      • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                      • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                      • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                    • API String ID: 4036392271-1520055953
                                                                    • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                    • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                    • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                    • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                    Function 0040B783 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                    • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Init_thread_footer__onexit
                                                                    • String ID: [End of clipboard]$[Text copied to clipboard]$ mG$xdF
                                                                    • API String ID: 1881088180-3895790603
                                                                    • Opcode ID: 760ea6e79c3ffbd71de15c4ff94302edcff1e01d539cef0f9343f42a9ac10c53
                                                                    • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                                                    • Opcode Fuzzy Hash: 760ea6e79c3ffbd71de15c4ff94302edcff1e01d539cef0f9343f42a9ac10c53
                                                                    • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                                                    Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                    • wsprintfW.USER32 ref: 0040B22E
                                                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EventLocalTimewsprintf
                                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                    • API String ID: 1497725170-248792730
                                                                    • Opcode ID: 59a1be8c83541d479a58bb8d880daa1fd6c6ab67d729e7a964af9fdad9a96c42
                                                                    • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                    • Opcode Fuzzy Hash: 59a1be8c83541d479a58bb8d880daa1fd6c6ab67d729e7a964af9fdad9a96c42
                                                                    • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                    Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                    • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                                    • String ID: hQG
                                                                    • API String ID: 1958988193-4070439852
                                                                    • Opcode ID: 595eac96881a8bdb509871ed607124858b5f7cdba5588f4db059ccdf03d0ff75
                                                                    • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                                                    • Opcode Fuzzy Hash: 595eac96881a8bdb509871ed607124858b5f7cdba5588f4db059ccdf03d0ff75
                                                                    • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                                                    Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                    • GetLastError.KERNEL32 ref: 0041D611
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                                    • String ID: 0$MsgWindowClass
                                                                    • API String ID: 2877667751-2410386613
                                                                    • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                    • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                    • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                    • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                    Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                    • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                    • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                    Strings
                                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                    • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreateProcess
                                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                    • API String ID: 2922976086-4183131282
                                                                    • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                    • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                    • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                    • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                    Function 0041384F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,RG), ref: 0041385A
                                                                    • RegSetValueExW.ADVAPI32(RG,?,00000000,00000001,00000000,00000000,00475300,?,0040F85E,pth_unenc,004752E8), ref: 00413888
                                                                    • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,004752E8), ref: 00413893
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue
                                                                    • String ID: pth_unenc$RG
                                                                    • API String ID: 1818849710-3487042679
                                                                    • Opcode ID: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                                                    • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                    • Opcode Fuzzy Hash: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                                                    • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                    Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                    • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                    • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                    • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                    Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                    • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                    • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                    • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                    • String ID: KeepAlive | Disabled
                                                                    • API String ID: 2993684571-305739064
                                                                    • Opcode ID: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                                                    • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                    • Opcode Fuzzy Hash: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                                                    • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                    Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                    • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                    • String ID: Alarm triggered
                                                                    • API String ID: 614609389-2816303416
                                                                    • Opcode ID: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                                                    • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                    • Opcode Fuzzy Hash: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                                                    • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                    Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                    Strings
                                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                    • API String ID: 3024135584-2418719853
                                                                    • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                    • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                    • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                    • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                    Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                    • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                    • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                    • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                    Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                    • _free.LIBCMT ref: 0044943D
                                                                      • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                    • _free.LIBCMT ref: 00449609
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                    • String ID:
                                                                    • API String ID: 1286116820-0
                                                                    • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                    • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                    • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                    • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                    Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                      • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                      • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                                                      • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475348), ref: 0041C096
                                                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 2180151492-0
                                                                    • Opcode ID: 70a9864e201568bc9c1415d9391edbd9f36389d712aec8fe8c5933c5304958f4
                                                                    • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                                                    • Opcode Fuzzy Hash: 70a9864e201568bc9c1415d9391edbd9f36389d712aec8fe8c5933c5304958f4
                                                                    • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                    Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                    • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                    • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                    • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                    Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                    • __alloca_probe_16.LIBCMT ref: 00451231
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                    • __freea.LIBCMT ref: 0045129D
                                                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                    • String ID:
                                                                    • API String ID: 313313983-0
                                                                    • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                    • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                    • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                    • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                    Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                      • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                      • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                    • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQuerySleepValue
                                                                    • String ID: HSG$exepath$xdF$RG
                                                                    • API String ID: 4119054056-3038920021
                                                                    • Opcode ID: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                                                    • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                                                    • Opcode Fuzzy Hash: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                                                    • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                                                    Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                    • _free.LIBCMT ref: 0044F43F
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                    • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                    • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                    • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                    Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                    • _free.LIBCMT ref: 100071B8
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                    • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                    • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                    • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                    Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                    • _free.LIBCMT ref: 00448353
                                                                    • _free.LIBCMT ref: 0044837A
                                                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                    • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                    • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                    • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                    Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                    • _free.LIBCMT ref: 10005BB4
                                                                    • _free.LIBCMT ref: 10005BDB
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                    • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                    • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                    • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                    Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseHandleOpen$FileImageName
                                                                    • String ID:
                                                                    • API String ID: 2951400881-0
                                                                    • Opcode ID: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                    • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                                                    • Opcode Fuzzy Hash: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                    • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                                                    Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                    • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                    • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                    • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                    • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat
                                                                    • String ID:
                                                                    • API String ID: 493641738-0
                                                                    • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                    • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                    • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                    • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                    Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00450A54
                                                                      • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                    • _free.LIBCMT ref: 00450A66
                                                                    • _free.LIBCMT ref: 00450A78
                                                                    • _free.LIBCMT ref: 00450A8A
                                                                    • _free.LIBCMT ref: 00450A9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                    • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                    • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                    Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 100091D0
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 100091E2
                                                                    • _free.LIBCMT ref: 100091F4
                                                                    • _free.LIBCMT ref: 10009206
                                                                    • _free.LIBCMT ref: 10009218
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                    • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                    • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                    • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                    Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00444106
                                                                      • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                    • _free.LIBCMT ref: 00444118
                                                                    • _free.LIBCMT ref: 0044412B
                                                                    • _free.LIBCMT ref: 0044413C
                                                                    • _free.LIBCMT ref: 0044414D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                    • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                    • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                    Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1000536F
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 10005381
                                                                    • _free.LIBCMT ref: 10005394
                                                                    • _free.LIBCMT ref: 100053A5
                                                                    • _free.LIBCMT ref: 100053B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                    • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                    • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                    • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                    Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                                                    • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                                                    • IsWindowVisible.USER32(?), ref: 00417677
                                                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessWindow$Open$TextThreadVisible
                                                                    • String ID: (VG
                                                                    • API String ID: 3142014140-3443974315
                                                                    • Opcode ID: 1baf2b36f406f68612dd3bf221cbfa5b4dbec734512bd4c63de197ccecc89d5c
                                                                    • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                                                    • Opcode Fuzzy Hash: 1baf2b36f406f68612dd3bf221cbfa5b4dbec734512bd4c63de197ccecc89d5c
                                                                    • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                                                    Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Enum$InfoQueryValue
                                                                    • String ID: [regsplt]
                                                                    • API String ID: 3554306468-4262303796
                                                                    • Opcode ID: 048ab2dd9f71d5d516bd20a1639258bde8a4d6b33d369492628411f657c75bcf
                                                                    • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                                                    • Opcode Fuzzy Hash: 048ab2dd9f71d5d516bd20a1639258bde8a4d6b33d369492628411f657c75bcf
                                                                    • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                                                    Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strpbrk.LIBCMT ref: 0044E7B8
                                                                    • _free.LIBCMT ref: 0044E8D5
                                                                      • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                                      • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                      • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                    • String ID: *?$.
                                                                    • API String ID: 2812119850-3972193922
                                                                    • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                    • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                    • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                    • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                    Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe,00000104), ref: 10004C1D
                                                                    • _free.LIBCMT ref: 10004CE8
                                                                    • _free.LIBCMT ref: 10004CF2
                                                                    Strings
                                                                    • C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\Users\user\Desktop\1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exe
                                                                    • API String ID: 2506810119-651840231
                                                                    • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                    • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                    • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                    • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                    • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                    • String ID: /sort "Visit Time" /stext "$@NG
                                                                    • API String ID: 368326130-3944316004
                                                                    • Opcode ID: 5d2626caa2882f10f2dbb8313e835b38e1b4659d43752cfdf627f70e315d9b64
                                                                    • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                                                    • Opcode Fuzzy Hash: 5d2626caa2882f10f2dbb8313e835b38e1b4659d43752cfdf627f70e315d9b64
                                                                    • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                                                    Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                    Strings
                                                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                    • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                    • API String ID: 1174141254-1980882731
                                                                    • Opcode ID: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                                                    • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                    • Opcode Fuzzy Hash: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                                                    • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                    Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                    Strings
                                                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                    • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                    • API String ID: 1174141254-1980882731
                                                                    • Opcode ID: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                                                    • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                    • Opcode Fuzzy Hash: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                                                    • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                    Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$LocalTimewsprintf
                                                                    • String ID: Offline Keylogger Started
                                                                    • API String ID: 465354869-4114347211
                                                                    • Opcode ID: 8039d28b38964ef1b6d7858d54235a5994c5216ccdeb1f4035efa27a3bcafc1d
                                                                    • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                    • Opcode Fuzzy Hash: 8039d28b38964ef1b6d7858d54235a5994c5216ccdeb1f4035efa27a3bcafc1d
                                                                    • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                    Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                                    • String ID: Online Keylogger Started
                                                                    • API String ID: 112202259-1258561607
                                                                    • Opcode ID: 388f0613ca8bc6199ef7c00c5f876e1879b15845a113e9e69022df01242fadf4
                                                                    • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                    • Opcode Fuzzy Hash: 388f0613ca8bc6199ef7c00c5f876e1879b15845a113e9e69022df01242fadf4
                                                                    • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                    Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: CryptUnprotectData$crypt32
                                                                    • API String ID: 2574300362-2380590389
                                                                    • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                    • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                                                    • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                    • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEventHandleObjectSingleWait
                                                                    • String ID: Connection Timeout
                                                                    • API String ID: 2055531096-499159329
                                                                    • Opcode ID: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                                                    • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                                                    • Opcode Fuzzy Hash: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                                                    • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                                                    Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Exception@8Throw
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2005118841-1866435925
                                                                    • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                    • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                    • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                    • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                    Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                      • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                      • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                    • String ID: bad locale name
                                                                    • API String ID: 3628047217-1405518554
                                                                    • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                    • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                    • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                    • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                    Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                    • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                    • SetForegroundWindow.USER32 ref: 00416CA8
                                                                      • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                      • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                      • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                      • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                    • String ID: !D@
                                                                    • API String ID: 186401046-604454484
                                                                    • Opcode ID: c28b7efb6e9b123e9bbf35ecfc69271c77d7c0d816cf9c8e66969055ba9ab20b
                                                                    • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                                                    • Opcode Fuzzy Hash: c28b7efb6e9b123e9bbf35ecfc69271c77d7c0d816cf9c8e66969055ba9ab20b
                                                                    • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                                                    Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShell
                                                                    • String ID: /C $cmd.exe$open
                                                                    • API String ID: 587946157-3896048727
                                                                    • Opcode ID: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                                                    • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                    • Opcode Fuzzy Hash: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                                                    • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                    Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteDirectoryFileRemove
                                                                    • String ID: pth_unenc$xdF
                                                                    • API String ID: 3325800564-2448381268
                                                                    • Opcode ID: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                                                    • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                    • Opcode Fuzzy Hash: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                                                    • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                    Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                    • UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                    • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: TerminateThread$HookUnhookWindows
                                                                    • String ID: pth_unenc
                                                                    • API String ID: 3123878439-4028850238
                                                                    • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                    • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                    • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                    • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                    Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __alldvrm$_strrchr
                                                                    • String ID:
                                                                    • API String ID: 1036877536-0
                                                                    • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                    • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                    • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                    • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                    Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                    • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                    • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                    • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                    Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                    • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                    • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                    • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                    Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                    • __freea.LIBCMT ref: 100087D5
                                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                    • String ID:
                                                                    • API String ID: 2652629310-0
                                                                    • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                    • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                    • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                    • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                    Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                    • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                    • API String ID: 3472027048-1236744412
                                                                    • Opcode ID: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                                                    • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                                                    • Opcode Fuzzy Hash: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                                                    • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                                                    Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                      • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                      • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                    • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                    • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$SleepText$ForegroundLength
                                                                    • String ID: [ $ ]
                                                                    • API String ID: 3309952895-93608704
                                                                    • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                    • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                    • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                    • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                    Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: SystemTimes$Sleep__aulldiv
                                                                    • String ID:
                                                                    • API String ID: 188215759-0
                                                                    • Opcode ID: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                                                    • Instruction ID: 34fec0fc5de9b46989c99fc374850f6e4511d06c61be9fc580282ef5e3b3a0c9
                                                                    • Opcode Fuzzy Hash: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                                                    • Instruction Fuzzy Hash: 4A1142B35043446BC304FBB5CD85DEF77ACEBC4359F040A3EF64A82061EE29EA498695
                                                                    Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                    • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                    • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                    • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                    Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                    • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                    • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                    • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                    Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                    • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                    • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                    • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                    • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                    Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                    • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                    • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                    • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                    • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                    Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                      • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                    • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                    • String ID:
                                                                    • API String ID: 2633735394-0
                                                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                    • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                    • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                    Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                    • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                    • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                    • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MetricsSystem
                                                                    • String ID:
                                                                    • API String ID: 4116985748-0
                                                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                    • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                    • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                    Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                      • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                    • String ID:
                                                                    • API String ID: 1761009282-0
                                                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                    • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                    • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                    Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorHandling__start
                                                                    • String ID: pow
                                                                    • API String ID: 3213639722-2276729525
                                                                    • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                    • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                    • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                    • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                    Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1000655C
                                                                      • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                      • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                      • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                    • String ID: *?$.
                                                                    • API String ID: 2667617558-3972193922
                                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                    Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                                      • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                      • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                      • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                    • String ID: image/jpeg
                                                                    • API String ID: 1291196975-3785015651
                                                                    • Opcode ID: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                                                    • Instruction ID: b1b0a2c635f45e8130f4767810c6fbb161559e0826da6e7acb487c9aae22ef17
                                                                    • Opcode Fuzzy Hash: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                                                    • Instruction Fuzzy Hash: 6D316F72504310AFC701EF65C884D6FB7E9EF8A304F00496EF98597251DB7999048B66
                                                                    Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 0-711371036
                                                                    • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                    • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                    • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                    • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                    Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00416330
                                                                      • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                      • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                      • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                      • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _wcslen$CloseCreateValue
                                                                    • String ID: !D@$okmode
                                                                    • API String ID: 3411444782-1942679189
                                                                    • Opcode ID: 7f83a2f3948da31f3d9d5c8ccd2298a435b5cafecaaee845831b0ac8760f9a24
                                                                    • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                                                    • Opcode Fuzzy Hash: 7f83a2f3948da31f3d9d5c8ccd2298a435b5cafecaaee845831b0ac8760f9a24
                                                                    • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                                                    Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                                      • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                                      • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                      • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                    • String ID: image/png
                                                                    • API String ID: 1291196975-2966254431
                                                                    • Opcode ID: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                                                    • Instruction ID: f628a6b37c0337dbee8ef7f798de7cbb8cc54a1da061f00231e4b0513ad08027
                                                                    • Opcode Fuzzy Hash: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                                                    • Instruction Fuzzy Hash: 4221C375204211AFC700AB61CC89DBFBBACEFCA314F10452EF54693251DB389945CBA6
                                                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                    Strings
                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                    • API String ID: 481472006-1507639952
                                                                    • Opcode ID: b55377216b70fa1a36d234028ab4bcb6d876f08e8a08a2c9e1a3a8c6b24449be
                                                                    • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                                                    • Opcode Fuzzy Hash: b55377216b70fa1a36d234028ab4bcb6d876f08e8a08a2c9e1a3a8c6b24449be
                                                                    • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                                                    Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32 ref: 0041667B
                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DownloadFileSleep
                                                                    • String ID: !D@
                                                                    • API String ID: 1931167962-604454484
                                                                    • Opcode ID: a99e4f790afde7138dbb77877bc04f7b73d36f31349e7c55a80da1105f6356ad
                                                                    • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                                                    • Opcode Fuzzy Hash: a99e4f790afde7138dbb77877bc04f7b73d36f31349e7c55a80da1105f6356ad
                                                                    • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                    Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: : $Se.
                                                                    • API String ID: 4218353326-4089948878
                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                    Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                                    • API String ID: 481472006-2430845779
                                                                    • Opcode ID: 6daf1b74f0be0212c99ecf189ff816e92d6af2c6c3a508f563bd5cefd2cc2aaa
                                                                    • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                                                    • Opcode Fuzzy Hash: 6daf1b74f0be0212c99ecf189ff816e92d6af2c6c3a508f563bd5cefd2cc2aaa
                                                                    • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                                                    Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: alarm.wav$xYG
                                                                    • API String ID: 1174141254-3120134784
                                                                    • Opcode ID: 8fdefe343bf9ffeb28a7c3ee4e6c0106d9ed35135e1c1bd3a9daa0f626893b3c
                                                                    • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                                                    • Opcode Fuzzy Hash: 8fdefe343bf9ffeb28a7c3ee4e6c0106d9ed35135e1c1bd3a9daa0f626893b3c
                                                                    • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                                                    Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                    • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                    • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                    • String ID: Online Keylogger Stopped
                                                                    • API String ID: 1623830855-1496645233
                                                                    • Opcode ID: 25f93ffcf353bacc859474f9aeca125fed22c31049c8719b2c97d961c014792c
                                                                    • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                    • Opcode Fuzzy Hash: 25f93ffcf353bacc859474f9aeca125fed22c31049c8719b2c97d961c014792c
                                                                    • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                    Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                      • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Unknown exception
                                                                    • API String ID: 3476068407-410509341
                                                                    • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                    • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                    • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                    • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • waveInPrepareHeader.WINMM(0074FD78,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                                                    • waveInAddBuffer.WINMM(0074FD78,00000020,?,00000000,00401A15), ref: 0040185F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wave$BufferHeaderPrepare
                                                                    • String ID: hMG
                                                                    • API String ID: 2315374483-350922481
                                                                    • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                                                    • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                                                    • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                                                    • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                                                    Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: $G
                                                                    • API String ID: 269201875-4251033865
                                                                    • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                    • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                                                    • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                    • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                                                    Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocaleValid
                                                                    • String ID: IsValidLocaleName$kKD
                                                                    • API String ID: 1901932003-3269126172
                                                                    • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                    • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                    • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                    • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                    Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                    • API String ID: 1174141254-4188645398
                                                                    • Opcode ID: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                                                    • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                    • Opcode Fuzzy Hash: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                                                    • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                    Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                    • API String ID: 1174141254-2800177040
                                                                    • Opcode ID: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                                                    • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                    • Opcode Fuzzy Hash: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                                                    • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                    Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: AppData$\Opera Software\Opera Stable\
                                                                    • API String ID: 1174141254-1629609700
                                                                    • Opcode ID: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                                                    • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                    • Opcode Fuzzy Hash: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                                                    • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                    Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: $G
                                                                    • API String ID: 269201875-4251033865
                                                                    • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                    • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                    • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                    • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                    Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyState.USER32(00000011), ref: 0040B686
                                                                      • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                      • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                      • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                      • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                      • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                      • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                      • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                    • String ID: [AltL]$[AltR]
                                                                    • API String ID: 2738857842-2658077756
                                                                    • Opcode ID: e426c8fbeabb07d9abd34178f1097d2367636f6fc7a1368524095d745c426b1a
                                                                    • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                    • Opcode Fuzzy Hash: e426c8fbeabb07d9abd34178f1097d2367636f6fc7a1368524095d745c426b1a
                                                                    • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                    Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShell
                                                                    • String ID: !D@$open
                                                                    • API String ID: 587946157-1586967515
                                                                    • Opcode ID: 362c1c5fd20623688fdc3d2448c9f4f4186b82f57ee2e05463dad5c5776c9df8
                                                                    • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                    • Opcode Fuzzy Hash: 362c1c5fd20623688fdc3d2448c9f4f4186b82f57ee2e05463dad5c5776c9df8
                                                                    • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                    Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: State
                                                                    • String ID: [CtrlL]$[CtrlR]
                                                                    • API String ID: 1649606143-2446555240
                                                                    • Opcode ID: 58e70e30c0f3956dbd3e008be278b4fb6e6efd0531d4114be24f944b376f2658
                                                                    • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                    • Opcode Fuzzy Hash: 58e70e30c0f3956dbd3e008be278b4fb6e6efd0531d4114be24f944b376f2658
                                                                    • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                    Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                    • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Init_thread_footer__onexit
                                                                    • String ID: <kG$@kG
                                                                    • API String ID: 1881088180-1261746286
                                                                    • Opcode ID: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                                                    • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                                                    • Opcode Fuzzy Hash: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                                                    • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                                                    Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752E8,00475300,?,pth_unenc), ref: 00413A6C
                                                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteOpenValue
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                    • API String ID: 2654517830-1051519024
                                                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                    • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                    • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                    Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ObjectProcessSingleTerminateWait
                                                                    • String ID: pth_unenc
                                                                    • API String ID: 1872346434-4028850238
                                                                    • Opcode ID: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                    • Instruction ID: 4cc810616d40180dbd1e9271652f71629269b6e9fac0605c61d014a2f2010889
                                                                    • Opcode Fuzzy Hash: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                    • Instruction Fuzzy Hash: B0D0C934189712EBD7220B70AE49B443A6CA705322F141360F429413F1C6A98894AA18
                                                                    Function 0044F38A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CommandLine
                                                                    • String ID: 8(s
                                                                    • API String ID: 3253501508-1097392918
                                                                    • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                                                    • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                                                    • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                                                    • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                                                    Function 10007103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4517676071.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4517659221.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4517676071.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CommandLine
                                                                    • String ID: 8(s
                                                                    • API String ID: 3253501508-1097392918
                                                                    • Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                    • Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
                                                                    • Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                    • Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20
                                                                    Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                                                    • GetLastError.KERNEL32 ref: 00440D85
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1717984340-0
                                                                    • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                    • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                    • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                    • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                    Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                    • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4516748473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4516730944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516785591.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516809517.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4516847491.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastRead
                                                                    • String ID:
                                                                    • API String ID: 4100373531-0
                                                                    • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                    • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                    • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                    • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                    Execution Graph

                                                                    Execution Coverage:6.4%
                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                    Signature Coverage:2.1%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:72
                                                                    execution_graph 37630 415321 realloc 37631 41534d 37630->37631 37632 415340 37630->37632 37634 416760 11 API calls 37631->37634 37634->37632 37635 44dea5 37636 44deb5 FreeLibrary 37635->37636 37637 44dec3 37635->37637 37636->37637 37638 4287c1 37639 4287d2 37638->37639 37642 429ac1 37638->37642 37643 428818 37639->37643 37644 42881f 37639->37644 37653 425711 37639->37653 37640 4259da 37701 416760 11 API calls 37640->37701 37672 425ad6 37642->37672 37708 415c56 11 API calls 37642->37708 37675 42013a 37643->37675 37703 420244 97 API calls 37644->37703 37646 4260dd 37702 424251 120 API calls 37646->37702 37649 4259c2 37649->37672 37695 415c56 11 API calls 37649->37695 37653->37640 37653->37642 37653->37649 37656 429a4d 37653->37656 37659 422aeb memset memcpy memcpy 37653->37659 37663 4260a1 37653->37663 37671 425a38 37653->37671 37691 4227f0 memset memcpy 37653->37691 37692 422b84 15 API calls 37653->37692 37693 422b5d memset memcpy memcpy 37653->37693 37694 422640 13 API calls 37653->37694 37696 4241fc 11 API calls 37653->37696 37697 42413a 90 API calls 37653->37697 37657 429a66 37656->37657 37658 429a9b 37656->37658 37704 415c56 11 API calls 37657->37704 37662 429a96 37658->37662 37706 416760 11 API calls 37658->37706 37659->37653 37707 424251 120 API calls 37662->37707 37700 415c56 11 API calls 37663->37700 37665 429a7a 37705 416760 11 API calls 37665->37705 37671->37649 37698 422640 13 API calls 37671->37698 37699 4226e0 12 API calls 37671->37699 37676 42014c 37675->37676 37679 420151 37675->37679 37718 41e466 97 API calls 37676->37718 37678 420162 37678->37653 37679->37678 37680 4201b3 37679->37680 37681 420229 37679->37681 37682 4201b8 37680->37682 37683 4201dc 37680->37683 37681->37678 37684 41fd5e 86 API calls 37681->37684 37709 41fbdb 37682->37709 37683->37678 37687 4201ff 37683->37687 37715 41fc4c 37683->37715 37684->37678 37687->37678 37690 42013a 97 API calls 37687->37690 37690->37678 37691->37653 37692->37653 37693->37653 37694->37653 37695->37640 37696->37653 37697->37653 37698->37671 37699->37671 37700->37640 37701->37646 37702->37672 37703->37653 37704->37665 37705->37662 37706->37662 37707->37642 37708->37640 37710 41fbf1 37709->37710 37711 41fbf8 37709->37711 37714 41fc39 37710->37714 37733 4446ce 11 API calls 37710->37733 37723 41ee26 37711->37723 37714->37678 37719 41fd5e 37714->37719 37716 41ee6b 86 API calls 37715->37716 37717 41fc5d 37716->37717 37717->37683 37718->37679 37720 41fd65 37719->37720 37721 41fdab 37720->37721 37722 41fbdb 86 API calls 37720->37722 37721->37678 37722->37720 37724 41ee41 37723->37724 37725 41ee32 37723->37725 37734 41edad 37724->37734 37737 4446ce 11 API calls 37725->37737 37728 41ee3c 37728->37710 37731 41ee58 37731->37728 37739 41ee6b 37731->37739 37733->37714 37743 41be52 37734->37743 37737->37728 37738 41eb85 11 API calls 37738->37731 37740 41ee70 37739->37740 37741 41ee78 37739->37741 37796 41bf99 86 API calls 37740->37796 37741->37728 37744 41be6f 37743->37744 37745 41be5f 37743->37745 37750 41be8c 37744->37750 37775 418c63 memset memset 37744->37775 37774 4446ce 11 API calls 37745->37774 37747 41be69 37747->37728 37747->37738 37750->37747 37751 41bf3a 37750->37751 37753 41bed1 37750->37753 37755 41bee7 37750->37755 37778 4446ce 11 API calls 37751->37778 37754 41bef0 37753->37754 37757 41bee2 37753->37757 37754->37755 37756 41bf01 37754->37756 37755->37747 37779 41a453 86 API calls 37755->37779 37758 41bf24 memset 37756->37758 37760 41bf14 37756->37760 37776 418a6d memset memcpy memset 37756->37776 37764 41ac13 37757->37764 37758->37747 37777 41a223 memset memcpy memset 37760->37777 37763 41bf20 37763->37758 37765 41ac52 37764->37765 37766 41ac3f memset 37764->37766 37768 41ac6a 37765->37768 37780 41dc14 19 API calls 37765->37780 37771 41acd9 37766->37771 37769 41aca1 37768->37769 37781 41519d 37768->37781 37769->37771 37772 41acc0 memset 37769->37772 37773 41accd memcpy 37769->37773 37771->37755 37772->37771 37773->37771 37774->37747 37775->37750 37776->37760 37777->37763 37778->37755 37780->37768 37784 4175ed 37781->37784 37792 417570 SetFilePointer 37784->37792 37787 41760a ReadFile 37788 417637 37787->37788 37789 417627 GetLastError 37787->37789 37790 4151b3 37788->37790 37791 41763e memset 37788->37791 37789->37790 37790->37769 37791->37790 37793 41759c GetLastError 37792->37793 37795 4175b2 37792->37795 37794 4175a8 GetLastError 37793->37794 37793->37795 37794->37795 37795->37787 37795->37790 37796->37741 37797 417bc5 37798 417c61 37797->37798 37799 417bda 37797->37799 37799->37798 37800 417bf6 UnmapViewOfFile CloseHandle 37799->37800 37802 417c2c 37799->37802 37804 4175b7 37799->37804 37800->37799 37800->37800 37802->37799 37809 41851e 20 API calls 37802->37809 37805 4175d6 CloseHandle 37804->37805 37806 4175c8 37805->37806 37807 4175df 37805->37807 37806->37807 37808 4175ce Sleep 37806->37808 37807->37799 37808->37805 37809->37802 37810 4152c7 malloc 37811 4152ef 37810->37811 37813 4152e2 37810->37813 37814 416760 11 API calls 37811->37814 37814->37813 37815 415308 free 37816 41276d 37817 41277d 37816->37817 37859 4044a4 LoadLibraryW 37817->37859 37819 412785 37820 412789 37819->37820 37867 414b81 37819->37867 37823 4127c8 37873 412465 memset ??2@YAPAXI 37823->37873 37825 4127ea 37885 40ac21 37825->37885 37830 412813 37903 40dd07 memset 37830->37903 37831 412827 37908 40db69 memset 37831->37908 37834 412822 37929 4125b6 ??3@YAXPAX 37834->37929 37836 40ada2 _wcsicmp 37838 41283d 37836->37838 37838->37834 37841 412863 CoInitialize 37838->37841 37913 41268e 37838->37913 37933 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37841->37933 37844 41296f 37935 40b633 37844->37935 37846 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37851 412957 CoUninitialize 37846->37851 37856 4128ca 37846->37856 37851->37834 37852 4128d0 TranslateAcceleratorW 37853 412941 GetMessageW 37852->37853 37852->37856 37853->37851 37853->37852 37854 412909 IsDialogMessageW 37854->37853 37854->37856 37855 4128fd IsDialogMessageW 37855->37853 37855->37854 37856->37852 37856->37854 37856->37855 37857 41292b TranslateMessage DispatchMessageW 37856->37857 37858 41291f IsDialogMessageW 37856->37858 37857->37853 37858->37853 37858->37857 37860 4044f7 37859->37860 37861 4044cf GetProcAddress 37859->37861 37865 404507 MessageBoxW 37860->37865 37866 40451e 37860->37866 37862 4044e8 FreeLibrary 37861->37862 37863 4044df 37861->37863 37862->37860 37864 4044f3 37862->37864 37863->37862 37864->37860 37865->37819 37866->37819 37868 414b8a 37867->37868 37869 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37867->37869 37939 40a804 memset 37868->37939 37869->37823 37872 414b9e GetProcAddress 37872->37869 37874 4124e0 37873->37874 37875 412505 ??2@YAPAXI 37874->37875 37876 41251c 37875->37876 37881 412521 37875->37881 37961 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37876->37961 37950 444722 37881->37950 37884 41259b wcscpy 37884->37825 37966 40b1ab free free 37885->37966 37887 40ad76 37967 40aa04 37887->37967 37890 40a9ce malloc memcpy free free 37893 40ac5c 37890->37893 37891 40ad4b 37891->37887 37990 40a9ce 37891->37990 37893->37887 37893->37890 37893->37891 37894 40ace7 free 37893->37894 37970 40a8d0 37893->37970 37982 4099f4 37893->37982 37894->37893 37898 40a8d0 7 API calls 37898->37887 37899 40ada2 37900 40adc9 37899->37900 37901 40adaa 37899->37901 37900->37830 37900->37831 37901->37900 37902 40adb3 _wcsicmp 37901->37902 37902->37900 37902->37901 37995 40dce0 37903->37995 37905 40dd3a GetModuleHandleW 38000 40dba7 37905->38000 37909 40dce0 3 API calls 37908->37909 37910 40db99 37909->37910 38072 40dae1 37910->38072 38086 402f3a 37913->38086 37915 412766 37915->37834 37915->37841 37916 4126d3 _wcsicmp 37917 4126a8 37916->37917 37917->37915 37917->37916 37919 41270a 37917->37919 38120 4125f8 7 API calls 37917->38120 37919->37915 38089 411ac5 37919->38089 37930 4125da 37929->37930 37931 4125f0 37930->37931 37932 4125e6 DeleteObject 37930->37932 37934 40b1ab free free 37931->37934 37932->37931 37933->37846 37934->37844 37936 40b640 37935->37936 37937 40b639 free 37935->37937 37938 40b1ab free free 37936->37938 37937->37936 37938->37820 37940 40a83b GetSystemDirectoryW 37939->37940 37941 40a84c wcscpy 37939->37941 37940->37941 37946 409719 wcslen 37941->37946 37944 40a881 LoadLibraryW 37945 40a886 37944->37945 37945->37869 37945->37872 37947 409724 37946->37947 37948 409739 wcscat LoadLibraryW 37946->37948 37947->37948 37949 40972c wcscat 37947->37949 37948->37944 37948->37945 37949->37948 37951 444732 37950->37951 37952 444728 DeleteObject 37950->37952 37962 409cc3 37951->37962 37952->37951 37954 412551 37955 4010f9 37954->37955 37956 401130 37955->37956 37957 401134 GetModuleHandleW LoadIconW 37956->37957 37958 401107 wcsncat 37956->37958 37959 40a7be 37957->37959 37958->37956 37960 40a7d2 37959->37960 37960->37884 37960->37960 37961->37881 37965 409bfd memset wcscpy 37962->37965 37964 409cdb CreateFontIndirectW 37964->37954 37965->37964 37966->37893 37968 40aa14 37967->37968 37969 40aa0a free 37967->37969 37968->37899 37969->37968 37971 40a8eb 37970->37971 37972 40a8df wcslen 37970->37972 37973 40a906 free 37971->37973 37974 40a90f 37971->37974 37972->37971 37975 40a919 37973->37975 37976 4099f4 3 API calls 37974->37976 37977 40a932 37975->37977 37978 40a929 free 37975->37978 37976->37975 37980 4099f4 3 API calls 37977->37980 37979 40a93e memcpy 37978->37979 37979->37893 37981 40a93d 37980->37981 37981->37979 37983 409a41 37982->37983 37984 4099fb malloc 37982->37984 37983->37893 37986 409a37 37984->37986 37987 409a1c 37984->37987 37986->37893 37988 409a30 free 37987->37988 37989 409a20 memcpy 37987->37989 37988->37986 37989->37988 37991 40a9e7 37990->37991 37992 40a9dc free 37990->37992 37993 4099f4 3 API calls 37991->37993 37994 40a9f2 37992->37994 37993->37994 37994->37898 38019 409bca GetModuleFileNameW 37995->38019 37997 40dce6 wcsrchr 37998 40dcf5 37997->37998 37999 40dcf9 wcscat 37997->37999 37998->37999 37999->37905 38020 44db70 38000->38020 38004 40dbfd 38023 4447d9 38004->38023 38007 40dc34 wcscpy wcscpy 38049 40d6f5 38007->38049 38008 40dc1f wcscpy 38008->38007 38011 40d6f5 3 API calls 38012 40dc73 38011->38012 38013 40d6f5 3 API calls 38012->38013 38014 40dc89 38013->38014 38015 40d6f5 3 API calls 38014->38015 38016 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38015->38016 38055 40da80 38016->38055 38019->37997 38021 40dbb4 memset memset 38020->38021 38022 409bca GetModuleFileNameW 38021->38022 38022->38004 38024 4447f4 38023->38024 38025 40dc1b 38024->38025 38026 444807 ??2@YAPAXI 38024->38026 38025->38007 38025->38008 38027 44481f 38026->38027 38028 444873 _snwprintf 38027->38028 38029 4448ab wcscpy 38027->38029 38062 44474a 8 API calls 38028->38062 38031 4448bb 38029->38031 38063 44474a 8 API calls 38031->38063 38032 4448a7 38032->38029 38032->38031 38034 4448cd 38064 44474a 8 API calls 38034->38064 38036 4448e2 38065 44474a 8 API calls 38036->38065 38038 4448f7 38066 44474a 8 API calls 38038->38066 38040 44490c 38067 44474a 8 API calls 38040->38067 38042 444921 38068 44474a 8 API calls 38042->38068 38044 444936 38069 44474a 8 API calls 38044->38069 38046 44494b 38070 44474a 8 API calls 38046->38070 38048 444960 ??3@YAXPAX 38048->38025 38050 44db70 38049->38050 38051 40d702 memset GetPrivateProfileStringW 38050->38051 38052 40d752 38051->38052 38053 40d75c WritePrivateProfileStringW 38051->38053 38052->38053 38054 40d758 38052->38054 38053->38054 38054->38011 38056 44db70 38055->38056 38057 40da8d memset 38056->38057 38058 40daac LoadStringW 38057->38058 38061 40dac6 38058->38061 38060 40dade 38060->37834 38061->38058 38061->38060 38071 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38061->38071 38062->38032 38063->38034 38064->38036 38065->38038 38066->38040 38067->38042 38068->38044 38069->38046 38070->38048 38071->38061 38082 409b98 GetFileAttributesW 38072->38082 38074 40daea 38075 40daef wcscpy wcscpy GetPrivateProfileIntW 38074->38075 38081 40db63 38074->38081 38083 40d65d GetPrivateProfileStringW 38075->38083 38077 40db3e 38084 40d65d GetPrivateProfileStringW 38077->38084 38079 40db4f 38085 40d65d GetPrivateProfileStringW 38079->38085 38081->37836 38082->38074 38083->38077 38084->38079 38085->38081 38121 40eaff 38086->38121 38090 411ae2 memset 38089->38090 38091 411b8f 38089->38091 38161 409bca GetModuleFileNameW 38090->38161 38103 411a8b 38091->38103 38093 411b0a wcsrchr 38094 411b22 wcscat 38093->38094 38095 411b1f 38093->38095 38162 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38094->38162 38095->38094 38097 411b67 38163 402afb 38097->38163 38101 411b7f 38219 40ea13 SendMessageW memset SendMessageW 38101->38219 38104 402afb 27 API calls 38103->38104 38105 411ac0 38104->38105 38106 4110dc 38105->38106 38107 41113e 38106->38107 38112 4110f0 38106->38112 38244 40969c LoadCursorW SetCursor 38107->38244 38109 411143 38245 4032b4 38109->38245 38263 444a54 38109->38263 38110 4110f7 _wcsicmp 38110->38112 38111 411157 38113 40ada2 _wcsicmp 38111->38113 38112->38107 38112->38110 38266 410c46 10 API calls 38112->38266 38116 411167 38113->38116 38114 4111af 38116->38114 38117 4111a6 qsort 38116->38117 38117->38114 38120->37917 38122 40eb10 38121->38122 38134 40e8e0 38122->38134 38125 40eb6c memcpy memcpy 38126 40ebb7 38125->38126 38126->38125 38127 40ebf2 ??2@YAPAXI ??2@YAPAXI 38126->38127 38129 40d134 16 API calls 38126->38129 38128 40ec65 38127->38128 38130 40ec2e ??2@YAPAXI 38127->38130 38144 40ea7f 38128->38144 38129->38126 38130->38128 38133 402f49 38133->37917 38135 40e8f2 38134->38135 38136 40e8eb ??3@YAXPAX 38134->38136 38137 40e900 38135->38137 38138 40e8f9 ??3@YAXPAX 38135->38138 38136->38135 38139 40e911 38137->38139 38140 40e90a ??3@YAXPAX 38137->38140 38138->38137 38141 40e931 ??2@YAPAXI ??2@YAPAXI 38139->38141 38142 40e921 ??3@YAXPAX 38139->38142 38143 40e92a ??3@YAXPAX 38139->38143 38140->38139 38141->38125 38142->38143 38143->38141 38145 40aa04 free 38144->38145 38146 40ea88 38145->38146 38147 40aa04 free 38146->38147 38148 40ea90 38147->38148 38149 40aa04 free 38148->38149 38150 40ea98 38149->38150 38151 40aa04 free 38150->38151 38152 40eaa0 38151->38152 38153 40a9ce 4 API calls 38152->38153 38154 40eab3 38153->38154 38155 40a9ce 4 API calls 38154->38155 38156 40eabd 38155->38156 38157 40a9ce 4 API calls 38156->38157 38158 40eac7 38157->38158 38159 40a9ce 4 API calls 38158->38159 38160 40ead1 38159->38160 38160->38133 38161->38093 38162->38097 38220 40b2cc 38163->38220 38165 402b0a 38166 40b2cc 27 API calls 38165->38166 38167 402b23 38166->38167 38168 40b2cc 27 API calls 38167->38168 38169 402b3a 38168->38169 38170 40b2cc 27 API calls 38169->38170 38171 402b54 38170->38171 38172 40b2cc 27 API calls 38171->38172 38173 402b6b 38172->38173 38174 40b2cc 27 API calls 38173->38174 38175 402b82 38174->38175 38176 40b2cc 27 API calls 38175->38176 38177 402b99 38176->38177 38178 40b2cc 27 API calls 38177->38178 38179 402bb0 38178->38179 38180 40b2cc 27 API calls 38179->38180 38181 402bc7 38180->38181 38182 40b2cc 27 API calls 38181->38182 38183 402bde 38182->38183 38184 40b2cc 27 API calls 38183->38184 38185 402bf5 38184->38185 38186 40b2cc 27 API calls 38185->38186 38187 402c0c 38186->38187 38188 40b2cc 27 API calls 38187->38188 38189 402c23 38188->38189 38190 40b2cc 27 API calls 38189->38190 38191 402c3a 38190->38191 38192 40b2cc 27 API calls 38191->38192 38193 402c51 38192->38193 38194 40b2cc 27 API calls 38193->38194 38195 402c68 38194->38195 38196 40b2cc 27 API calls 38195->38196 38197 402c7f 38196->38197 38198 40b2cc 27 API calls 38197->38198 38199 402c99 38198->38199 38200 40b2cc 27 API calls 38199->38200 38201 402cb3 38200->38201 38202 40b2cc 27 API calls 38201->38202 38203 402cd5 38202->38203 38204 40b2cc 27 API calls 38203->38204 38205 402cf0 38204->38205 38206 40b2cc 27 API calls 38205->38206 38207 402d0b 38206->38207 38208 40b2cc 27 API calls 38207->38208 38209 402d26 38208->38209 38210 40b2cc 27 API calls 38209->38210 38211 402d3e 38210->38211 38212 40b2cc 27 API calls 38211->38212 38213 402d59 38212->38213 38214 40b2cc 27 API calls 38213->38214 38215 402d78 38214->38215 38216 40b2cc 27 API calls 38215->38216 38217 402d93 38216->38217 38218 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38217->38218 38218->38101 38219->38091 38223 40b58d 38220->38223 38222 40b2d1 38222->38165 38224 40b5a4 GetModuleHandleW FindResourceW 38223->38224 38225 40b62e 38223->38225 38226 40b5c2 LoadResource 38224->38226 38228 40b5e7 38224->38228 38225->38222 38227 40b5d0 SizeofResource LockResource 38226->38227 38226->38228 38227->38228 38228->38225 38236 40afcf 38228->38236 38230 40b608 memcpy 38239 40b4d3 memcpy 38230->38239 38232 40b61e 38240 40b3c1 18 API calls 38232->38240 38234 40b626 38241 40b04b 38234->38241 38237 40b04b ??3@YAXPAX 38236->38237 38238 40afd7 ??2@YAPAXI 38237->38238 38238->38230 38239->38232 38240->38234 38242 40b051 ??3@YAXPAX 38241->38242 38243 40b05f 38241->38243 38242->38243 38243->38225 38244->38109 38246 4032c4 38245->38246 38247 40b633 free 38246->38247 38248 403316 38247->38248 38267 44553b 38248->38267 38252 403480 38465 40368c 15 API calls 38252->38465 38254 403489 38255 40b633 free 38254->38255 38257 403495 38255->38257 38256 40333c 38256->38252 38258 4033a9 memset memcpy 38256->38258 38259 4033ec wcscmp 38256->38259 38463 4028e7 11 API calls 38256->38463 38464 40f508 6 API calls 38256->38464 38257->38111 38258->38256 38258->38259 38259->38256 38262 403421 _wcsicmp 38262->38256 38264 444a64 FreeLibrary 38263->38264 38265 444a83 38263->38265 38264->38265 38265->38111 38266->38112 38268 445548 38267->38268 38269 445599 38268->38269 38466 40c768 38268->38466 38270 4455a8 memset 38269->38270 38277 4457f2 38269->38277 38549 403988 38270->38549 38280 445854 38277->38280 38651 403e2d memset memset memset memset memset 38277->38651 38278 4455e5 38289 445672 38278->38289 38294 44560f 38278->38294 38279 4458bb memset memset 38282 414c2e 17 API calls 38279->38282 38333 4458aa 38280->38333 38674 403c9c memset memset memset memset memset 38280->38674 38285 4458f9 38282->38285 38284 44595e memset memset 38292 414c2e 17 API calls 38284->38292 38293 40b2cc 27 API calls 38285->38293 38287 44558c 38533 444b06 38287->38533 38288 44557a 38288->38287 38747 4136c0 CoTaskMemFree 38288->38747 38560 403fbe memset memset memset memset memset 38289->38560 38290 445a00 memset memset 38697 414c2e 38290->38697 38291 445b22 38297 445bca 38291->38297 38298 445b38 memset memset memset 38291->38298 38302 44599c 38292->38302 38304 445909 38293->38304 38306 4087b3 338 API calls 38294->38306 38296 445849 38763 40b1ab free free 38296->38763 38305 445c8b memset memset 38297->38305 38371 445cf0 38297->38371 38309 445bd4 38298->38309 38310 445b98 38298->38310 38303 40b2cc 27 API calls 38302->38303 38317 4459ac 38303->38317 38314 409d1f 6 API calls 38304->38314 38318 414c2e 17 API calls 38305->38318 38315 445621 38306->38315 38307 44589f 38764 40b1ab free free 38307->38764 38308 445585 38748 41366b FreeLibrary 38308->38748 38324 414c2e 17 API calls 38309->38324 38310->38309 38320 445ba2 38310->38320 38313 403335 38462 4452e5 45 API calls 38313->38462 38328 445919 38314->38328 38749 4454bf 20 API calls 38315->38749 38316 445823 38316->38296 38338 4087b3 338 API calls 38316->38338 38329 409d1f 6 API calls 38317->38329 38330 445cc9 38318->38330 38836 4099c6 wcslen 38320->38836 38321 4456b2 38751 40b1ab free free 38321->38751 38323 40b2cc 27 API calls 38334 445a4f 38323->38334 38325 445be2 38324->38325 38336 40b2cc 27 API calls 38325->38336 38326 445d3d 38356 40b2cc 27 API calls 38326->38356 38327 445d88 memset memset memset 38339 414c2e 17 API calls 38327->38339 38765 409b98 GetFileAttributesW 38328->38765 38340 4459bc 38329->38340 38341 409d1f 6 API calls 38330->38341 38331 445879 38331->38307 38352 4087b3 338 API calls 38331->38352 38333->38279 38357 44594a 38333->38357 38713 409d1f wcslen wcslen 38334->38713 38346 445bf3 38336->38346 38338->38316 38349 445dde 38339->38349 38832 409b98 GetFileAttributesW 38340->38832 38351 445ce1 38341->38351 38342 445bb3 38839 445403 memset 38342->38839 38343 445680 38343->38321 38583 4087b3 memset 38343->38583 38355 409d1f 6 API calls 38346->38355 38347 445928 38347->38357 38766 40b6ef 38347->38766 38358 40b2cc 27 API calls 38349->38358 38856 409b98 GetFileAttributesW 38351->38856 38352->38331 38354 40b2cc 27 API calls 38363 445a94 38354->38363 38365 445c07 38355->38365 38366 445d54 _wcsicmp 38356->38366 38357->38284 38370 4459ed 38357->38370 38369 445def 38358->38369 38359 4459cb 38359->38370 38379 40b6ef 253 API calls 38359->38379 38718 40ae18 38363->38718 38364 44566d 38364->38277 38634 413d4c 38364->38634 38375 445389 259 API calls 38365->38375 38376 445d71 38366->38376 38439 445d67 38366->38439 38368 445665 38750 40b1ab free free 38368->38750 38377 409d1f 6 API calls 38369->38377 38370->38290 38370->38291 38371->38313 38371->38326 38371->38327 38372 445389 259 API calls 38372->38297 38381 445c17 38375->38381 38857 445093 23 API calls 38376->38857 38384 445e03 38377->38384 38379->38370 38380 4456d8 38386 40b2cc 27 API calls 38380->38386 38387 40b2cc 27 API calls 38381->38387 38383 44563c 38383->38368 38389 4087b3 338 API calls 38383->38389 38858 409b98 GetFileAttributesW 38384->38858 38385 40b6ef 253 API calls 38385->38313 38391 4456e2 38386->38391 38392 445c23 38387->38392 38388 445d83 38388->38313 38389->38383 38752 413fa6 _wcsicmp _wcsicmp 38391->38752 38396 409d1f 6 API calls 38392->38396 38394 445e12 38401 445e6b 38394->38401 38408 40b2cc 27 API calls 38394->38408 38399 445c37 38396->38399 38397 445aa1 38400 445b17 38397->38400 38415 445ab2 memset 38397->38415 38428 409d1f 6 API calls 38397->38428 38725 40add4 38397->38725 38730 445389 38397->38730 38739 40ae51 38397->38739 38398 4456eb 38404 4456fd memset memset memset memset 38398->38404 38405 4457ea 38398->38405 38406 445389 259 API calls 38399->38406 38833 40aebe 38400->38833 38860 445093 23 API calls 38401->38860 38753 409c70 wcscpy wcsrchr 38404->38753 38756 413d29 38405->38756 38411 445c47 38406->38411 38412 445e33 38408->38412 38409 445e7e 38414 445f67 38409->38414 38417 40b2cc 27 API calls 38411->38417 38418 409d1f 6 API calls 38412->38418 38423 40b2cc 27 API calls 38414->38423 38419 40b2cc 27 API calls 38415->38419 38421 445c53 38417->38421 38422 445e47 38418->38422 38419->38397 38420 409c70 2 API calls 38424 44577e 38420->38424 38425 409d1f 6 API calls 38421->38425 38859 409b98 GetFileAttributesW 38422->38859 38427 445f73 38423->38427 38429 409c70 2 API calls 38424->38429 38430 445c67 38425->38430 38432 409d1f 6 API calls 38427->38432 38428->38397 38433 44578d 38429->38433 38434 445389 259 API calls 38430->38434 38431 445e56 38431->38401 38437 445e83 memset 38431->38437 38435 445f87 38432->38435 38433->38405 38441 40b2cc 27 API calls 38433->38441 38434->38297 38863 409b98 GetFileAttributesW 38435->38863 38440 40b2cc 27 API calls 38437->38440 38439->38313 38439->38385 38442 445eab 38440->38442 38443 4457a8 38441->38443 38444 409d1f 6 API calls 38442->38444 38445 409d1f 6 API calls 38443->38445 38446 445ebf 38444->38446 38447 4457b8 38445->38447 38448 40ae18 9 API calls 38446->38448 38755 409b98 GetFileAttributesW 38447->38755 38458 445ef5 38448->38458 38450 4457c7 38450->38405 38452 4087b3 338 API calls 38450->38452 38451 40ae51 9 API calls 38451->38458 38452->38405 38453 445f5c 38455 40aebe FindClose 38453->38455 38454 40add4 2 API calls 38454->38458 38455->38414 38456 40b2cc 27 API calls 38456->38458 38457 409d1f 6 API calls 38457->38458 38458->38451 38458->38453 38458->38454 38458->38456 38458->38457 38460 445f3a 38458->38460 38861 409b98 GetFileAttributesW 38458->38861 38862 445093 23 API calls 38460->38862 38462->38256 38463->38262 38464->38256 38465->38254 38467 40c775 38466->38467 38864 40b1ab free free 38467->38864 38469 40c788 38865 40b1ab free free 38469->38865 38471 40c790 38866 40b1ab free free 38471->38866 38473 40c798 38474 40aa04 free 38473->38474 38475 40c7a0 38474->38475 38867 40c274 memset 38475->38867 38480 40a8ab 9 API calls 38481 40c7c3 38480->38481 38482 40a8ab 9 API calls 38481->38482 38483 40c7d0 38482->38483 38896 40c3c3 38483->38896 38487 40c877 38496 40bdb0 38487->38496 38488 40c86c 38938 4053fe 39 API calls 38488->38938 38494 40c7e5 38494->38487 38494->38488 38495 40c634 50 API calls 38494->38495 38921 40a706 38494->38921 38495->38494 39201 404363 38496->39201 38499 40bf5d 39221 40440c 38499->39221 38500 40bdee 38500->38499 38504 40b2cc 27 API calls 38500->38504 38501 40bddf CredEnumerateW 38501->38500 38505 40be02 wcslen 38504->38505 38505->38499 38510 40be1e 38505->38510 38506 40be26 wcsncmp 38506->38510 38509 40be7d memset 38509->38510 38511 40bea7 memcpy 38509->38511 38510->38499 38510->38506 38510->38509 38510->38511 38512 40bf11 wcschr 38510->38512 38513 40b2cc 27 API calls 38510->38513 38515 40bf43 LocalFree 38510->38515 39224 40bd5d 28 API calls 38510->39224 39225 404423 38510->39225 38511->38510 38511->38512 38512->38510 38514 40bef6 _wcsnicmp 38513->38514 38514->38510 38514->38512 38515->38510 38516 4135f7 39240 4135e0 38516->39240 38519 40b2cc 27 API calls 38520 41360d 38519->38520 38521 40a804 8 API calls 38520->38521 38522 413613 38521->38522 38523 41361b 38522->38523 38524 41363e 38522->38524 38525 40b273 27 API calls 38523->38525 38526 4135e0 FreeLibrary 38524->38526 38527 413625 GetProcAddress 38525->38527 38528 413643 38526->38528 38527->38524 38529 413648 38527->38529 38528->38288 38530 413658 38529->38530 38531 4135e0 FreeLibrary 38529->38531 38530->38288 38532 413666 38531->38532 38532->38288 39243 4449b9 38533->39243 38536 444c1f 38536->38269 38537 4449b9 42 API calls 38539 444b4b 38537->38539 38538 444c15 38541 4449b9 42 API calls 38538->38541 38539->38538 39264 444972 GetVersionExW 38539->39264 38541->38536 38542 444b99 memcmp 38547 444b8c 38542->38547 38543 444c0b 38547->38542 38547->38543 39265 444aa5 42 API calls 38547->39265 39266 40a7a0 GetVersionExW 38547->39266 39267 444a85 42 API calls 38547->39267 38550 40399d 38549->38550 39269 403a16 38550->39269 38552 403a09 39283 40b1ab free free 38552->39283 38554 403a12 wcsrchr 38554->38278 38555 4039a3 38555->38552 38558 4039f4 38555->38558 39280 40a02c CreateFileW 38555->39280 38558->38552 38559 4099c6 2 API calls 38558->38559 38559->38552 38561 414c2e 17 API calls 38560->38561 38562 404048 38561->38562 38563 414c2e 17 API calls 38562->38563 38564 404056 38563->38564 38565 409d1f 6 API calls 38564->38565 38566 404073 38565->38566 38567 409d1f 6 API calls 38566->38567 38568 40408e 38567->38568 38569 409d1f 6 API calls 38568->38569 38570 4040a6 38569->38570 38571 403af5 20 API calls 38570->38571 38572 4040ba 38571->38572 38573 403af5 20 API calls 38572->38573 38574 4040cb 38573->38574 39310 40414f memset 38574->39310 38576 404140 39324 40b1ab free free 38576->39324 38577 4040ec memset 38581 4040e0 38577->38581 38579 404148 38579->38343 38580 4099c6 2 API calls 38580->38581 38581->38576 38581->38577 38581->38580 38582 40a8ab 9 API calls 38581->38582 38582->38581 39337 40a6e6 WideCharToMultiByte 38583->39337 38585 4087ed 39338 4095d9 memset 38585->39338 38588 408809 memset memset memset memset memset 38589 40b2cc 27 API calls 38588->38589 38590 4088a1 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 4088b1 38591->38592 38593 40b2cc 27 API calls 38592->38593 38594 4088c0 38593->38594 38595 409d1f 6 API calls 38594->38595 38596 4088d0 38595->38596 38597 40b2cc 27 API calls 38596->38597 38598 4088df 38597->38598 38615 408953 38615->38343 38635 40b633 free 38634->38635 38636 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38635->38636 38637 413f00 Process32NextW 38636->38637 38638 413da5 OpenProcess 38637->38638 38639 413f17 CloseHandle 38637->38639 38640 413eb0 38638->38640 38641 413df3 memset 38638->38641 38639->38380 38640->38637 38643 413ebf free 38640->38643 38644 4099f4 3 API calls 38640->38644 39781 413f27 38641->39781 38643->38640 38644->38640 38645 413e1f 38646 413e37 GetModuleHandleW 38645->38646 39786 413959 38645->39786 39802 413ca4 38645->39802 38646->38645 38648 413e46 GetProcAddress 38646->38648 38648->38645 38650 413ea2 CloseHandle 38650->38640 38652 414c2e 17 API calls 38651->38652 38653 403eb7 38652->38653 38654 414c2e 17 API calls 38653->38654 38655 403ec5 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 403ee2 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 403efd 38658->38659 38660 409d1f 6 API calls 38659->38660 38661 403f15 38660->38661 38662 403af5 20 API calls 38661->38662 38663 403f29 38662->38663 38664 403af5 20 API calls 38663->38664 38665 403f3a 38664->38665 38666 40414f 33 API calls 38665->38666 38672 403f4f 38666->38672 38667 403faf 39816 40b1ab free free 38667->39816 38669 403f5b memset 38669->38672 38670 403fb7 38670->38316 38671 4099c6 2 API calls 38671->38672 38672->38667 38672->38669 38672->38671 38673 40a8ab 9 API calls 38672->38673 38673->38672 38675 414c2e 17 API calls 38674->38675 38676 403d26 38675->38676 38677 414c2e 17 API calls 38676->38677 38678 403d34 38677->38678 38679 409d1f 6 API calls 38678->38679 38680 403d51 38679->38680 38681 409d1f 6 API calls 38680->38681 38682 403d6c 38681->38682 38683 409d1f 6 API calls 38682->38683 38684 403d84 38683->38684 38685 403af5 20 API calls 38684->38685 38686 403d98 38685->38686 38687 403af5 20 API calls 38686->38687 38688 403da9 38687->38688 38689 40414f 33 API calls 38688->38689 38690 403dbe 38689->38690 38691 403e1e 38690->38691 38693 403dca memset 38690->38693 38695 4099c6 2 API calls 38690->38695 38696 40a8ab 9 API calls 38690->38696 39817 40b1ab free free 38691->39817 38693->38690 38694 403e26 38694->38331 38695->38690 38696->38690 38698 414b81 9 API calls 38697->38698 38699 414c40 38698->38699 38700 414c73 memset 38699->38700 39818 409cea 38699->39818 38702 414c94 38700->38702 39821 414592 RegOpenKeyExW 38702->39821 38705 414c64 SHGetSpecialFolderPathW 38707 414d0b 38705->38707 38706 414cc1 38708 414cf4 wcscpy 38706->38708 39822 414bb0 wcscpy 38706->39822 38707->38323 38708->38707 38710 414cd2 39823 4145ac RegQueryValueExW 38710->39823 38712 414ce9 RegCloseKey 38712->38708 38714 409d62 38713->38714 38715 409d43 wcscpy 38713->38715 38714->38354 38716 409719 2 API calls 38715->38716 38717 409d51 wcscat 38716->38717 38717->38714 38719 40aebe FindClose 38718->38719 38720 40ae21 38719->38720 38721 4099c6 2 API calls 38720->38721 38722 40ae35 38721->38722 38723 409d1f 6 API calls 38722->38723 38724 40ae49 38723->38724 38724->38397 38726 40ade0 38725->38726 38729 40ae0f 38725->38729 38727 40ade7 wcscmp 38726->38727 38726->38729 38728 40adfe wcscmp 38727->38728 38727->38729 38728->38729 38729->38397 38731 40ae18 9 API calls 38730->38731 38732 4453c4 38731->38732 38733 40ae51 9 API calls 38732->38733 38734 4453f3 38732->38734 38735 40add4 2 API calls 38732->38735 38738 445403 254 API calls 38732->38738 38733->38732 38736 40aebe FindClose 38734->38736 38735->38732 38737 4453fe 38736->38737 38737->38397 38738->38732 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38397 38746->38745 38747->38308 38748->38287 38749->38383 38750->38364 38751->38364 38752->38398 38754 409c89 38753->38754 38754->38420 38755->38450 38757 413d39 38756->38757 38758 413d2f FreeLibrary 38756->38758 38759 40b633 free 38757->38759 38758->38757 38760 413d42 38759->38760 38761 40b633 free 38760->38761 38762 413d4a 38761->38762 38762->38277 38763->38280 38764->38333 38765->38347 38767 44db70 38766->38767 38768 40b6fc memset 38767->38768 38769 409c70 2 API calls 38768->38769 38770 40b732 wcsrchr 38769->38770 38771 40b743 38770->38771 38772 40b746 memset 38770->38772 38771->38772 38773 40b2cc 27 API calls 38772->38773 38774 40b76f 38773->38774 38775 409d1f 6 API calls 38774->38775 38776 40b783 38775->38776 39824 409b98 GetFileAttributesW 38776->39824 38778 40b792 38779 40b7c2 38778->38779 38780 409c70 2 API calls 38778->38780 39825 40bb98 38779->39825 38782 40b7a5 38780->38782 38784 40b2cc 27 API calls 38782->38784 38788 40b7b2 38784->38788 38785 40b837 CloseHandle 38787 40b83e memset 38785->38787 38786 40b817 38789 409a45 3 API calls 38786->38789 39858 40a6e6 WideCharToMultiByte 38787->39858 38791 409d1f 6 API calls 38788->38791 38792 40b827 CopyFileW 38789->38792 38791->38779 38792->38787 38793 40b866 38794 444432 121 API calls 38793->38794 38795 40b879 38794->38795 38796 40bad5 38795->38796 38797 40b273 27 API calls 38795->38797 38798 40baeb 38796->38798 38799 40bade DeleteFileW 38796->38799 38800 40b89a 38797->38800 38801 40b04b ??3@YAXPAX 38798->38801 38799->38798 38802 438552 134 API calls 38800->38802 38803 40baf3 38801->38803 38804 40b8a4 38802->38804 38803->38357 38805 40bacd 38804->38805 38807 4251c4 137 API calls 38804->38807 38806 443d90 111 API calls 38805->38806 38806->38796 38830 40b8b8 38807->38830 38808 40bac6 39868 424f26 123 API calls 38808->39868 38809 40b8bd memset 39859 425413 17 API calls 38809->39859 38812 425413 17 API calls 38812->38830 38815 40a71b MultiByteToWideChar 38815->38830 38816 40a734 MultiByteToWideChar 38816->38830 38819 40b9b5 memcmp 38819->38830 38820 4099c6 2 API calls 38820->38830 38821 404423 38 API calls 38821->38830 38824 40bb3e memset memcpy 39869 40a734 MultiByteToWideChar 38824->39869 38825 4251c4 137 API calls 38825->38830 38827 40bb88 LocalFree 38827->38830 38830->38808 38830->38809 38830->38812 38830->38815 38830->38816 38830->38819 38830->38820 38830->38821 38830->38824 38830->38825 38831 40ba5f memcmp 38830->38831 39860 4253ef 16 API calls 38830->39860 39861 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38830->39861 39862 4253af 17 API calls 38830->39862 39863 4253cf 17 API calls 38830->39863 39864 447280 memset 38830->39864 39865 447960 memset memcpy memcpy memcpy 38830->39865 39866 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38830->39866 39867 447920 memcpy memcpy memcpy 38830->39867 38831->38830 38832->38359 38834 40aed1 38833->38834 38835 40aec7 FindClose 38833->38835 38834->38291 38835->38834 38837 4099d7 38836->38837 38838 4099da memcpy 38836->38838 38837->38838 38838->38342 38840 40b2cc 27 API calls 38839->38840 38841 44543f 38840->38841 38842 409d1f 6 API calls 38841->38842 38843 44544f 38842->38843 39957 409b98 GetFileAttributesW 38843->39957 38845 44545e 38846 445476 38845->38846 38847 40b6ef 253 API calls 38845->38847 38848 40b2cc 27 API calls 38846->38848 38847->38846 38849 445482 38848->38849 38850 409d1f 6 API calls 38849->38850 38851 445492 38850->38851 39958 409b98 GetFileAttributesW 38851->39958 38853 4454a1 38854 4454b9 38853->38854 38855 40b6ef 253 API calls 38853->38855 38854->38372 38855->38854 38856->38371 38857->38388 38858->38394 38859->38431 38860->38409 38861->38458 38862->38458 38863->38439 38864->38469 38865->38471 38866->38473 38868 414c2e 17 API calls 38867->38868 38869 40c2ae 38868->38869 38939 40c1d3 38869->38939 38874 40c3be 38891 40a8ab 38874->38891 38875 40afcf 2 API calls 38876 40c2fd FindFirstUrlCacheEntryW 38875->38876 38877 40c3b6 38876->38877 38878 40c31e wcschr 38876->38878 38879 40b04b ??3@YAXPAX 38877->38879 38880 40c331 38878->38880 38881 40c35e FindNextUrlCacheEntryW 38878->38881 38879->38874 38883 40a8ab 9 API calls 38880->38883 38881->38878 38882 40c373 GetLastError 38881->38882 38884 40c3ad FindCloseUrlCache 38882->38884 38885 40c37e 38882->38885 38886 40c33e wcschr 38883->38886 38884->38877 38887 40afcf 2 API calls 38885->38887 38886->38881 38888 40c34f 38886->38888 38889 40c391 FindNextUrlCacheEntryW 38887->38889 38890 40a8ab 9 API calls 38888->38890 38889->38878 38889->38884 38890->38881 39128 40a97a 38891->39128 38894 40a8cc 38894->38480 38895 40a8d0 7 API calls 38895->38894 39133 40b1ab free free 38896->39133 38898 40c3dd 38899 40b2cc 27 API calls 38898->38899 38900 40c3e7 38899->38900 39134 414592 RegOpenKeyExW 38900->39134 38902 40c3f4 38903 40c50e 38902->38903 38904 40c3ff 38902->38904 38918 405337 38903->38918 38905 40a9ce 4 API calls 38904->38905 38906 40c418 memset 38905->38906 39135 40aa1d 38906->39135 38909 40c471 38911 40c47a _wcsupr 38909->38911 38910 40c505 RegCloseKey 38910->38903 38912 40a8d0 7 API calls 38911->38912 38913 40c498 38912->38913 38914 40a8d0 7 API calls 38913->38914 38915 40c4ac memset 38914->38915 38916 40aa1d 38915->38916 38917 40c4e4 RegEnumValueW 38916->38917 38917->38910 38917->38911 39137 405220 38918->39137 38922 4099c6 2 API calls 38921->38922 38923 40a714 _wcslwr 38922->38923 38924 40c634 38923->38924 39194 405361 38924->39194 38927 40c65c wcslen 39197 4053b6 39 API calls 38927->39197 38928 40c71d wcslen 38928->38494 38930 40c677 38931 40c713 38930->38931 39198 40538b 39 API calls 38930->39198 39200 4053df 39 API calls 38931->39200 38934 40c6a5 38934->38931 38935 40c6a9 memset 38934->38935 38936 40c6d3 38935->38936 39199 40c589 44 API calls 38936->39199 38938->38487 38940 40ae18 9 API calls 38939->38940 38946 40c210 38940->38946 38941 40ae51 9 API calls 38941->38946 38942 40c264 38943 40aebe FindClose 38942->38943 38945 40c26f 38943->38945 38944 40add4 2 API calls 38944->38946 38951 40e5ed memset memset 38945->38951 38946->38941 38946->38942 38946->38944 38947 40c231 _wcsicmp 38946->38947 38948 40c1d3 35 API calls 38946->38948 38947->38946 38949 40c248 38947->38949 38948->38946 38964 40c084 22 API calls 38949->38964 38952 414c2e 17 API calls 38951->38952 38953 40e63f 38952->38953 38954 409d1f 6 API calls 38953->38954 38955 40e658 38954->38955 38965 409b98 GetFileAttributesW 38955->38965 38957 40e667 38958 40e680 38957->38958 38959 409d1f 6 API calls 38957->38959 38966 409b98 GetFileAttributesW 38958->38966 38959->38958 38961 40e68f 38962 40c2d8 38961->38962 38967 40e4b2 38961->38967 38962->38874 38962->38875 38964->38946 38965->38957 38966->38961 38988 40e01e 38967->38988 38969 40e593 38970 40e5b0 38969->38970 38971 40e59c DeleteFileW 38969->38971 38972 40b04b ??3@YAXPAX 38970->38972 38971->38970 38974 40e5bb 38972->38974 38973 40e521 38973->38969 39011 40e175 38973->39011 38976 40e5c4 CloseHandle 38974->38976 38977 40e5cc 38974->38977 38976->38977 38979 40b633 free 38977->38979 38978 40e573 38980 40e584 38978->38980 38981 40e57c CloseHandle 38978->38981 38982 40e5db 38979->38982 39054 40b1ab free free 38980->39054 38981->38980 38985 40b633 free 38982->38985 38984 40e540 38984->38978 39031 40e2ab 38984->39031 38986 40e5e3 38985->38986 38986->38962 39055 406214 38988->39055 38991 40e16b 38991->38973 38994 40afcf 2 API calls 38995 40e08d OpenProcess 38994->38995 38996 40e0a4 GetCurrentProcess DuplicateHandle 38995->38996 39000 40e152 38995->39000 38997 40e0d0 GetFileSize 38996->38997 38998 40e14a CloseHandle 38996->38998 39091 409a45 GetTempPathW 38997->39091 38998->39000 38999 40e160 39003 40b04b ??3@YAXPAX 38999->39003 39000->38999 39002 406214 22 API calls 39000->39002 39002->38999 39003->38991 39004 40e0ea 39094 4096dc CreateFileW 39004->39094 39006 40e0f1 CreateFileMappingW 39007 40e140 CloseHandle CloseHandle 39006->39007 39008 40e10b MapViewOfFile 39006->39008 39007->38998 39009 40e13b CloseHandle 39008->39009 39010 40e11f WriteFile UnmapViewOfFile 39008->39010 39009->39007 39010->39009 39012 40e18c 39011->39012 39095 406b90 39012->39095 39015 40e1a7 memset 39021 40e1e8 39015->39021 39016 40e299 39105 4069a3 39016->39105 39022 40e283 39021->39022 39023 40dd50 _wcsicmp 39021->39023 39029 40e244 _snwprintf 39021->39029 39112 406e8f 13 API calls 39021->39112 39113 40742e 8 API calls 39021->39113 39114 40aae3 wcslen wcslen _memicmp 39021->39114 39115 406b53 SetFilePointerEx ReadFile 39021->39115 39024 40e291 39022->39024 39025 40e288 free 39022->39025 39023->39021 39026 40aa04 free 39024->39026 39025->39024 39026->39016 39030 40a8d0 7 API calls 39029->39030 39030->39021 39032 40e2c2 39031->39032 39033 406b90 11 API calls 39032->39033 39039 40e2d3 39033->39039 39034 40e4a0 39035 4069a3 2 API calls 39034->39035 39037 40e4ab 39035->39037 39037->38984 39039->39034 39040 40e489 39039->39040 39043 40dd50 _wcsicmp 39039->39043 39049 40e3e0 memcpy 39039->39049 39050 40e3fb memcpy 39039->39050 39051 40e3b3 wcschr 39039->39051 39052 40e416 memcpy 39039->39052 39053 40e431 memcpy 39039->39053 39116 406e8f 13 API calls 39039->39116 39117 40dd50 _wcsicmp 39039->39117 39126 40742e 8 API calls 39039->39126 39127 406b53 SetFilePointerEx ReadFile 39039->39127 39041 40aa04 free 39040->39041 39042 40e491 39041->39042 39042->39034 39044 40e497 free 39042->39044 39043->39039 39044->39034 39046 40e376 memset 39118 40aa29 39046->39118 39049->39039 39050->39039 39051->39039 39052->39039 39053->39039 39054->38969 39056 406294 CloseHandle 39055->39056 39057 406224 39056->39057 39058 4096c3 CreateFileW 39057->39058 39059 40622d 39058->39059 39060 406281 GetLastError 39059->39060 39061 40a2ef ReadFile 39059->39061 39065 40625a 39060->39065 39062 406244 39061->39062 39062->39060 39063 40624b 39062->39063 39064 406777 19 API calls 39063->39064 39063->39065 39064->39065 39065->38991 39066 40dd85 memset 39065->39066 39067 409bca GetModuleFileNameW 39066->39067 39068 40ddbe CreateFileW 39067->39068 39071 40ddf1 39068->39071 39069 40afcf ??2@YAPAXI ??3@YAXPAX 39069->39071 39070 41352f 9 API calls 39070->39071 39071->39069 39071->39070 39072 40de0b NtQuerySystemInformation 39071->39072 39073 40de3b CloseHandle GetCurrentProcessId 39071->39073 39072->39071 39074 40de54 39073->39074 39075 413d4c 46 API calls 39074->39075 39083 40de88 39075->39083 39076 40e00c 39077 413d29 free FreeLibrary 39076->39077 39078 40e014 39077->39078 39078->38991 39078->38994 39079 40dea9 _wcsicmp 39080 40dee7 OpenProcess 39079->39080 39081 40debd _wcsicmp 39079->39081 39080->39083 39081->39080 39082 40ded0 _wcsicmp 39081->39082 39082->39080 39082->39083 39083->39076 39083->39079 39084 40dfef CloseHandle 39083->39084 39085 40df23 GetCurrentProcess DuplicateHandle 39083->39085 39088 40df8f CloseHandle 39083->39088 39089 40df78 39083->39089 39084->39083 39085->39083 39086 40df4c memset 39085->39086 39087 41352f 9 API calls 39086->39087 39087->39083 39088->39089 39089->39084 39089->39088 39090 40dfae _wcsicmp 39089->39090 39090->39083 39090->39089 39092 409a74 GetTempFileNameW 39091->39092 39093 409a66 GetWindowsDirectoryW 39091->39093 39092->39004 39093->39092 39094->39006 39096 406bd5 39095->39096 39097 406bad 39095->39097 39099 4066bf free malloc memcpy free free 39096->39099 39104 406c0f 39096->39104 39097->39096 39098 406bba _wcsicmp 39097->39098 39098->39096 39098->39097 39100 406be5 39099->39100 39101 40afcf ??2@YAPAXI ??3@YAXPAX 39100->39101 39100->39104 39102 406bff 39101->39102 39103 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39102->39103 39103->39104 39104->39015 39104->39016 39106 4069c4 ??3@YAXPAX 39105->39106 39107 4069af 39106->39107 39108 40b633 free 39107->39108 39109 4069ba 39108->39109 39110 40b04b ??3@YAXPAX 39109->39110 39111 4069c2 39110->39111 39111->38984 39112->39021 39113->39021 39114->39021 39115->39021 39116->39039 39117->39046 39119 40aa33 39118->39119 39120 40aa63 39118->39120 39121 40aa44 39119->39121 39122 40aa38 wcslen 39119->39122 39120->39039 39123 40a9ce malloc memcpy free free 39121->39123 39122->39121 39124 40aa4d 39123->39124 39124->39120 39125 40aa51 memcpy 39124->39125 39125->39120 39126->39039 39127->39039 39129 40a980 39128->39129 39130 40a8bb 39129->39130 39131 40a995 _wcsicmp 39129->39131 39132 40a99c wcscmp 39129->39132 39130->38894 39130->38895 39131->39129 39132->39129 39133->38898 39134->38902 39136 40aa23 RegEnumValueW 39135->39136 39136->38909 39136->38910 39138 405335 39137->39138 39139 40522a 39137->39139 39138->38494 39140 40b2cc 27 API calls 39139->39140 39141 405234 39140->39141 39142 40a804 8 API calls 39141->39142 39143 40523a 39142->39143 39182 40b273 39143->39182 39145 405248 _mbscpy _mbscat GetProcAddress 39146 40b273 27 API calls 39145->39146 39147 405279 39146->39147 39185 405211 GetProcAddress 39147->39185 39149 405282 39150 40b273 27 API calls 39149->39150 39151 40528f 39150->39151 39186 405211 GetProcAddress 39151->39186 39153 405298 39154 40b273 27 API calls 39153->39154 39155 4052a5 39154->39155 39187 405211 GetProcAddress 39155->39187 39157 4052ae 39158 40b273 27 API calls 39157->39158 39159 4052bb 39158->39159 39188 405211 GetProcAddress 39159->39188 39161 4052c4 39162 40b273 27 API calls 39161->39162 39163 4052d1 39162->39163 39189 405211 GetProcAddress 39163->39189 39165 4052da 39166 40b273 27 API calls 39165->39166 39167 4052e7 39166->39167 39190 405211 GetProcAddress 39167->39190 39169 4052f0 39170 40b273 27 API calls 39169->39170 39183 40b58d 27 API calls 39182->39183 39184 40b18c 39183->39184 39184->39145 39185->39149 39186->39153 39187->39157 39188->39161 39189->39165 39190->39169 39195 405220 39 API calls 39194->39195 39196 405369 39195->39196 39196->38927 39196->38928 39197->38930 39198->38934 39199->38931 39200->38928 39202 40440c FreeLibrary 39201->39202 39203 40436d 39202->39203 39204 40a804 8 API calls 39203->39204 39205 404377 39204->39205 39206 404383 39205->39206 39207 404405 39205->39207 39208 40b273 27 API calls 39206->39208 39207->38499 39207->38500 39207->38501 39209 40438d GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4043a7 GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 4043ba GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 4043ce GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 4043e2 GetProcAddress 39216->39217 39218 4043f1 39217->39218 39219 4043f7 39218->39219 39220 40440c FreeLibrary 39218->39220 39219->39207 39220->39207 39222 404413 FreeLibrary 39221->39222 39223 40441e 39221->39223 39222->39223 39223->38516 39224->38510 39226 40447e 39225->39226 39227 40442e 39225->39227 39228 404485 CryptUnprotectData 39226->39228 39229 40449c 39226->39229 39230 40b2cc 27 API calls 39227->39230 39228->39229 39229->38510 39231 404438 39230->39231 39232 40a804 8 API calls 39231->39232 39233 40443e 39232->39233 39234 404445 39233->39234 39235 404467 39233->39235 39236 40b273 27 API calls 39234->39236 39235->39226 39238 404475 FreeLibrary 39235->39238 39237 40444f GetProcAddress 39236->39237 39237->39235 39239 404460 39237->39239 39238->39226 39239->39235 39241 4135f6 39240->39241 39242 4135eb FreeLibrary 39240->39242 39241->38519 39242->39241 39244 4449c4 39243->39244 39245 444a52 39243->39245 39246 40b2cc 27 API calls 39244->39246 39245->38536 39245->38537 39247 4449cb 39246->39247 39248 40a804 8 API calls 39247->39248 39249 4449d1 39248->39249 39250 40b273 27 API calls 39249->39250 39264->38547 39265->38547 39266->38547 39267->38547 39270 403a29 39269->39270 39284 403bed memset memset 39270->39284 39272 403ae7 39297 40b1ab free free 39272->39297 39274 403a3f memset 39278 403a2f 39274->39278 39275 403aef 39275->38555 39276 40a8d0 7 API calls 39276->39278 39277 409d1f 6 API calls 39277->39278 39278->39272 39278->39274 39278->39276 39278->39277 39279 409b98 GetFileAttributesW 39278->39279 39279->39278 39281 40a051 GetFileTime CloseHandle 39280->39281 39282 4039ca CompareFileTime 39280->39282 39281->39282 39282->38555 39283->38554 39285 414c2e 17 API calls 39284->39285 39286 403c38 39285->39286 39287 409719 2 API calls 39286->39287 39288 403c3f wcscat 39287->39288 39289 414c2e 17 API calls 39288->39289 39290 403c61 39289->39290 39291 409719 2 API calls 39290->39291 39292 403c68 wcscat 39291->39292 39298 403af5 39292->39298 39295 403af5 20 API calls 39296 403c95 39295->39296 39296->39278 39297->39275 39299 403b02 39298->39299 39300 40ae18 9 API calls 39299->39300 39308 403b37 39300->39308 39301 403bdb 39302 40aebe FindClose 39301->39302 39304 403be6 39302->39304 39303 40add4 wcscmp wcscmp 39303->39308 39304->39295 39305 40ae18 9 API calls 39305->39308 39306 40ae51 9 API calls 39306->39308 39307 40aebe FindClose 39307->39308 39308->39301 39308->39303 39308->39305 39308->39306 39308->39307 39309 40a8d0 7 API calls 39308->39309 39309->39308 39311 409d1f 6 API calls 39310->39311 39312 404190 39311->39312 39325 409b98 GetFileAttributesW 39312->39325 39314 40419c 39315 4041a7 6 API calls 39314->39315 39316 40435c 39314->39316 39318 40424f 39315->39318 39316->38581 39318->39316 39319 40425e memset 39318->39319 39321 409d1f 6 API calls 39318->39321 39322 40a8ab 9 API calls 39318->39322 39326 414842 39318->39326 39319->39318 39320 404296 wcscpy 39319->39320 39320->39318 39321->39318 39323 4042b6 memset memset _snwprintf wcscpy 39322->39323 39323->39318 39324->38579 39325->39314 39329 41443e 39326->39329 39328 414866 39328->39318 39330 41444b 39329->39330 39331 414451 39330->39331 39332 4144a3 GetPrivateProfileStringW 39330->39332 39333 414491 39331->39333 39334 414455 wcschr 39331->39334 39332->39328 39336 414495 WritePrivateProfileStringW 39333->39336 39334->39333 39335 414463 _snwprintf 39334->39335 39335->39336 39336->39328 39337->38585 39339 40b2cc 27 API calls 39338->39339 39340 409615 39339->39340 39341 409d1f 6 API calls 39340->39341 39342 409625 39341->39342 39367 409b98 GetFileAttributesW 39342->39367 39344 409634 39345 409648 39344->39345 39368 4091b8 memset 39344->39368 39347 40b2cc 27 API calls 39345->39347 39350 408801 39345->39350 39348 40965d 39347->39348 39349 409d1f 6 API calls 39348->39349 39351 40966d 39349->39351 39350->38588 39350->38615 39420 409b98 GetFileAttributesW 39351->39420 39353 40967c 39353->39350 39354 409681 39353->39354 39421 409529 72 API calls 39354->39421 39356 409690 39356->39350 39367->39344 39422 40a6e6 WideCharToMultiByte 39368->39422 39370 409202 39423 444432 39370->39423 39373 40b273 27 API calls 39374 409236 39373->39374 39469 438552 39374->39469 39400 40951d 39400->39345 39420->39353 39421->39356 39422->39370 39519 4438b5 39423->39519 39425 44444c 39426 409215 39425->39426 39533 415a6d 39425->39533 39426->39373 39426->39400 39428 4442e6 11 API calls 39429 444486 39431 4444b9 memcpy 39429->39431 39468 4444a4 39429->39468 39537 415258 39431->39537 39468->39428 39658 438460 39469->39658 39520 4438d0 39519->39520 39530 4438c9 39519->39530 39607 415378 memcpy memcpy 39520->39607 39530->39425 39534 415a77 39533->39534 39535 415a8d 39534->39535 39536 415a7e memset 39534->39536 39535->39429 39536->39535 39670 41703f 39658->39670 39808 413f4f 39781->39808 39784 413f37 K32GetModuleFileNameExW 39785 413f4a 39784->39785 39785->38645 39787 413969 wcscpy 39786->39787 39788 41396c wcschr 39786->39788 39791 413a3a 39787->39791 39788->39787 39790 41398e 39788->39790 39813 4097f7 wcslen wcslen _memicmp 39790->39813 39791->38645 39793 41399a 39794 4139a4 memset 39793->39794 39795 4139e6 39793->39795 39814 409dd5 GetWindowsDirectoryW wcscpy 39794->39814 39797 413a31 wcscpy 39795->39797 39798 4139ec memset 39795->39798 39797->39791 39815 409dd5 GetWindowsDirectoryW wcscpy 39798->39815 39799 4139c9 wcscpy wcscat 39799->39791 39801 413a11 memcpy wcscat 39801->39791 39803 413cb0 GetModuleHandleW 39802->39803 39804 413cda 39802->39804 39803->39804 39807 413cbf GetProcAddress 39803->39807 39805 413ce3 GetProcessTimes 39804->39805 39806 413cf6 39804->39806 39805->38650 39806->38650 39807->39804 39809 413f2f 39808->39809 39810 413f54 39808->39810 39809->39784 39809->39785 39811 40a804 8 API calls 39810->39811 39812 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39811->39812 39812->39809 39813->39793 39814->39799 39815->39801 39816->38670 39817->38694 39819 409cf9 GetVersionExW 39818->39819 39820 409d0a 39818->39820 39819->39820 39820->38700 39820->38705 39821->38706 39822->38710 39823->38712 39824->38778 39826 40bba5 39825->39826 39870 40cc26 39826->39870 39829 40bd4b 39898 40cc0c 39829->39898 39834 40b2cc 27 API calls 39835 40bbef 39834->39835 39891 40ccf0 39835->39891 39837 40bbf5 39837->39829 39895 40ccb4 39837->39895 39840 40cf04 17 API calls 39841 40bc2e 39840->39841 39842 40bd43 39841->39842 39843 40b2cc 27 API calls 39841->39843 39844 40cc0c 4 API calls 39842->39844 39845 40bc40 39843->39845 39844->39829 39846 40ccf0 _wcsicmp 39845->39846 39847 40bc46 39846->39847 39847->39842 39848 40bc61 memset memset WideCharToMultiByte 39847->39848 39905 40103c strlen 39848->39905 39850 40bcc0 39851 40b273 27 API calls 39850->39851 39852 40bcd0 memcmp 39851->39852 39852->39842 39853 40bce2 39852->39853 39854 404423 38 API calls 39853->39854 39855 40bd10 39854->39855 39855->39842 39856 40bd3a LocalFree 39855->39856 39857 40bd1f memcpy 39855->39857 39856->39842 39857->39856 39858->38793 39859->38830 39860->38830 39861->38830 39862->38830 39863->38830 39864->38830 39865->38830 39866->38830 39867->38830 39868->38805 39869->38827 39906 4096c3 CreateFileW 39870->39906 39872 40cc34 39873 40cc3d GetFileSize 39872->39873 39881 40bbca 39872->39881 39874 40afcf 2 API calls 39873->39874 39875 40cc64 39874->39875 39907 40a2ef ReadFile 39875->39907 39877 40cc71 39908 40ab4a MultiByteToWideChar 39877->39908 39879 40cc95 CloseHandle 39880 40b04b ??3@YAXPAX 39879->39880 39880->39881 39881->39829 39882 40cf04 39881->39882 39883 40b633 free 39882->39883 39884 40cf14 39883->39884 39914 40b1ab free free 39884->39914 39886 40cf1b 39887 40cfef 39886->39887 39890 40bbdd 39886->39890 39915 40cd4b 39886->39915 39889 40cd4b 14 API calls 39887->39889 39889->39890 39890->39829 39890->39834 39892 40ccfd 39891->39892 39894 40cd3f 39891->39894 39893 40cd26 _wcsicmp 39892->39893 39892->39894 39893->39892 39893->39894 39894->39837 39896 40aa29 6 API calls 39895->39896 39897 40bc26 39896->39897 39897->39840 39899 40b633 free 39898->39899 39900 40cc15 39899->39900 39901 40aa04 free 39900->39901 39902 40cc1d 39901->39902 39956 40b1ab free free 39902->39956 39904 40b7d4 memset CreateFileW 39904->38785 39904->38786 39905->39850 39906->39872 39907->39877 39909 40ab93 39908->39909 39910 40ab6b 39908->39910 39909->39879 39911 40a9ce 4 API calls 39910->39911 39912 40ab74 39911->39912 39913 40ab7c MultiByteToWideChar 39912->39913 39913->39909 39914->39886 39916 40cd7b 39915->39916 39917 40aa29 6 API calls 39916->39917 39921 40cd89 39917->39921 39918 40cef5 39919 40aa04 free 39918->39919 39920 40cefd 39919->39920 39920->39886 39921->39918 39922 40aa29 6 API calls 39921->39922 39923 40ce1d 39922->39923 39924 40aa29 6 API calls 39923->39924 39925 40ce3e 39924->39925 39926 40ce6a 39925->39926 39949 40abb7 wcslen memmove 39925->39949 39927 40ce9f 39926->39927 39952 40abb7 wcslen memmove 39926->39952 39930 40a8d0 7 API calls 39927->39930 39933 40ceb5 39930->39933 39931 40ce56 39950 40aa71 wcslen 39931->39950 39932 40ce8b 39953 40aa71 wcslen 39932->39953 39937 40a8d0 7 API calls 39933->39937 39936 40ce5e 39951 40abb7 wcslen memmove 39936->39951 39940 40cecb 39937->39940 39938 40ce93 39954 40abb7 wcslen memmove 39938->39954 39955 40d00b malloc memcpy free free 39940->39955 39943 40cedd 39944 40aa04 free 39943->39944 39945 40cee5 39944->39945 39946 40aa04 free 39945->39946 39947 40ceed 39946->39947 39948 40aa04 free 39947->39948 39948->39918 39949->39931 39950->39936 39951->39926 39952->39932 39953->39938 39954->39927 39955->39943 39956->39904 39957->38845 39958->38853 39959 4415ea 39967 4304b2 39959->39967 39961 4415fe 39962 4418e2 39961->39962 39964 442bd4 39961->39964 39965 4418ea 39961->39965 39962->39965 40014 4414a9 12 API calls 39962->40014 39964->39965 40015 441409 memset 39964->40015 40016 43041c 12 API calls 39967->40016 39969 4304cd 39974 430557 39969->39974 40017 43034a 39969->40017 39971 4304f3 39971->39974 40021 430468 11 API calls 39971->40021 39973 430506 39973->39974 39975 43057b 39973->39975 40022 43817e 39973->40022 39974->39961 39976 415a91 memset 39975->39976 39978 430584 39976->39978 39978->39974 40027 4397fd memset 39978->40027 39980 4305e4 39980->39974 40028 4328e4 12 API calls 39980->40028 39982 43052d 39982->39974 39982->39975 39985 430542 39982->39985 39984 4305fa 39986 430609 39984->39986 40029 423383 11 API calls 39984->40029 39985->39974 40026 4169a7 11 API calls 39985->40026 40030 423330 11 API calls 39986->40030 39989 430634 40031 423399 11 API calls 39989->40031 39991 430648 40032 4233ae 11 API calls 39991->40032 39993 43066b 40033 423330 11 API calls 39993->40033 39995 43067d 40034 4233ae 11 API calls 39995->40034 39997 430695 40035 423330 11 API calls 39997->40035 39999 4306d6 40037 423330 11 API calls 39999->40037 40000 4306a7 40000->39999 40002 4306c0 40000->40002 40036 4233ae 11 API calls 40002->40036 40004 4306d1 40038 430369 17 API calls 40004->40038 40006 4306f3 40039 423330 11 API calls 40006->40039 40008 430704 40040 423330 11 API calls 40008->40040 40010 430710 40041 423330 11 API calls 40010->40041 40012 43071e 40042 423383 11 API calls 40012->40042 40014->39965 40015->39964 40016->39969 40018 43034e 40017->40018 40020 430359 40017->40020 40043 415c23 memcpy 40018->40043 40020->39971 40021->39973 40023 438187 40022->40023 40025 438192 40022->40025 40044 4380f6 40023->40044 40025->39982 40026->39974 40027->39980 40028->39984 40029->39986 40030->39989 40031->39991 40032->39993 40033->39995 40034->39997 40035->40000 40036->40004 40037->40004 40038->40006 40039->40008 40040->40010 40041->40012 40042->39974 40043->40020 40046 43811f 40044->40046 40045 438164 40045->40025 40046->40045 40048 4300e8 3 API calls 40046->40048 40049 437e5e 40046->40049 40048->40046 40072 437d3c 40049->40072 40051 437eb3 40051->40046 40052 437ea9 40052->40051 40058 437f22 40052->40058 40087 41f432 40052->40087 40055 437f06 40137 415c56 11 API calls 40055->40137 40057 437f95 40138 415c56 11 API calls 40057->40138 40059 437f7f 40058->40059 40060 432d4e 3 API calls 40058->40060 40059->40057 40062 43802b 40059->40062 40060->40059 40098 4165ff 40062->40098 40067 43806b 40068 438094 40067->40068 40139 42f50e 138 API calls 40067->40139 40070 437fa3 40068->40070 40071 4300e8 3 API calls 40068->40071 40070->40051 40140 41f638 104 API calls 40070->40140 40071->40070 40073 437d69 40072->40073 40076 437d80 40072->40076 40141 437ccb 11 API calls 40073->40141 40075 437d76 40075->40052 40076->40075 40077 437da3 40076->40077 40079 437d90 40076->40079 40080 438460 134 API calls 40077->40080 40079->40075 40145 437ccb 11 API calls 40079->40145 40083 437dcb 40080->40083 40082 437de8 40144 424f26 123 API calls 40082->40144 40083->40082 40142 444283 13 API calls 40083->40142 40085 437dfc 40143 437ccb 11 API calls 40085->40143 40088 41f54d 40087->40088 40094 41f44f 40087->40094 40089 41f466 40088->40089 40175 41c635 memset memset 40088->40175 40089->40055 40089->40058 40094->40089 40096 41f50b 40094->40096 40146 41f1a5 40094->40146 40171 41c06f memcmp 40094->40171 40172 41f3b1 90 API calls 40094->40172 40173 41f398 86 API calls 40094->40173 40096->40088 40096->40089 40174 41c295 86 API calls 40096->40174 40099 4165a0 11 API calls 40098->40099 40100 41660d 40099->40100 40101 437371 40100->40101 40102 41703f 11 API calls 40101->40102 40103 437399 40102->40103 40104 43739d 40103->40104 40107 4373ac 40103->40107 40261 4446ea 11 API calls 40104->40261 40106 4373a7 40106->40067 40108 416935 16 API calls 40107->40108 40109 4373ca 40108->40109 40111 438460 134 API calls 40109->40111 40115 4251c4 137 API calls 40109->40115 40119 415a91 memset 40109->40119 40122 43758f 40109->40122 40134 437584 40109->40134 40136 437d3c 135 API calls 40109->40136 40262 425433 13 API calls 40109->40262 40263 425413 17 API calls 40109->40263 40264 42533e 16 API calls 40109->40264 40265 42538f 16 API calls 40109->40265 40266 42453e 123 API calls 40109->40266 40110 4375bc 40113 415c7d 16 API calls 40110->40113 40111->40109 40114 4375d2 40113->40114 40114->40106 40116 4442e6 11 API calls 40114->40116 40115->40109 40117 4375e2 40116->40117 40117->40106 40269 444283 13 API calls 40117->40269 40119->40109 40267 42453e 123 API calls 40122->40267 40123 4375f4 40128 437620 40123->40128 40129 43760b 40123->40129 40127 43759f 40130 416935 16 API calls 40127->40130 40132 416935 16 API calls 40128->40132 40270 444283 13 API calls 40129->40270 40130->40134 40132->40106 40134->40110 40268 42453e 123 API calls 40134->40268 40135 437612 memcpy 40135->40106 40136->40109 40137->40051 40138->40070 40139->40068 40140->40051 40141->40075 40142->40085 40143->40082 40144->40075 40145->40075 40176 41bc3b 40146->40176 40149 41edad 86 API calls 40150 41f1cb 40149->40150 40151 41f1f5 memcmp 40150->40151 40152 41f20e 40150->40152 40156 41f282 40150->40156 40151->40152 40153 41f21b memcmp 40152->40153 40152->40156 40154 41f326 40153->40154 40157 41f23d 40153->40157 40155 41ee6b 86 API calls 40154->40155 40154->40156 40155->40156 40156->40094 40157->40154 40158 41f28e memcmp 40157->40158 40200 41c8df 56 API calls 40157->40200 40158->40154 40159 41f2a9 40158->40159 40159->40154 40162 41f308 40159->40162 40163 41f2d8 40159->40163 40161 41f269 40161->40154 40164 41f287 40161->40164 40165 41f27a 40161->40165 40162->40154 40201 4446ce 11 API calls 40162->40201 40166 41ee6b 86 API calls 40163->40166 40164->40158 40167 41ee6b 86 API calls 40165->40167 40168 41f2e0 40166->40168 40167->40156 40170 41b1ca memset 40168->40170 40170->40156 40171->40094 40172->40094 40173->40094 40174->40088 40175->40089 40177 41be0b 40176->40177 40179 41bc54 40176->40179 40182 41bd61 40177->40182 40210 41ae17 34 API calls 40177->40210 40179->40177 40179->40182 40187 41bc8d 40179->40187 40202 41baf0 55 API calls 40179->40202 40181 41be45 40181->40149 40181->40156 40182->40181 40211 41a25f memset 40182->40211 40184 41be04 40209 41aee4 56 API calls 40184->40209 40186 41bd42 40186->40182 40186->40184 40189 41bdd8 memset 40186->40189 40190 41bdba 40186->40190 40187->40182 40187->40186 40188 41bd18 40187->40188 40203 4151e3 40187->40203 40188->40182 40188->40186 40207 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40188->40207 40191 41bde7 memcmp 40189->40191 40199 4175ed 6 API calls 40190->40199 40191->40184 40193 41bdfd 40191->40193 40192 41bdcc 40192->40182 40192->40191 40208 41a1b0 memset 40193->40208 40199->40192 40200->40161 40201->40154 40202->40187 40212 41837f 40203->40212 40206 444706 11 API calls 40206->40188 40207->40186 40208->40184 40209->40177 40210->40182 40211->40181 40213 4183c1 40212->40213 40214 4183ca 40212->40214 40259 418197 25 API calls 40213->40259 40232 4151f9 40214->40232 40233 418160 40214->40233 40217 4183e5 40217->40232 40242 41739b 40217->40242 40220 418444 CreateFileW 40222 418477 40220->40222 40221 41845f CreateFileA 40221->40222 40223 4184c2 memset 40222->40223 40224 41847e GetLastError free 40222->40224 40245 418758 40223->40245 40225 4184b5 40224->40225 40226 418497 40224->40226 40260 444706 11 API calls 40225->40260 40229 41837f 49 API calls 40226->40229 40229->40232 40232->40188 40232->40206 40234 41739b GetVersionExW 40233->40234 40235 418165 40234->40235 40237 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 40235->40237 40238 418178 40237->40238 40239 41817f 40238->40239 40240 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 40238->40240 40239->40217 40241 418188 free 40240->40241 40241->40217 40243 4173d6 40242->40243 40244 4173ad GetVersionExW 40242->40244 40243->40220 40243->40221 40244->40243 40246 418680 43 API calls 40245->40246 40247 418782 40246->40247 40248 418506 free 40247->40248 40249 418160 11 API calls 40247->40249 40248->40232 40250 418799 40249->40250 40250->40248 40251 41739b GetVersionExW 40250->40251 40252 4187a7 40251->40252 40253 4187da 40252->40253 40254 4187ad GetDiskFreeSpaceW 40252->40254 40256 4187ec GetDiskFreeSpaceA 40253->40256 40258 4187e8 40253->40258 40257 418800 free 40254->40257 40256->40257 40257->40248 40258->40256 40259->40214 40260->40232 40261->40106 40262->40109 40263->40109 40264->40109 40265->40109 40266->40109 40267->40127 40268->40110 40269->40123 40270->40135 40271 4147f3 40274 414561 40271->40274 40273 414813 40275 41456d 40274->40275 40276 41457f GetPrivateProfileIntW 40274->40276 40279 4143f1 memset _itow WritePrivateProfileStringW 40275->40279 40276->40273 40278 41457a 40278->40273 40279->40278 40280 44def7 40281 44df07 40280->40281 40282 44df00 ??3@YAXPAX 40280->40282 40283 44df17 40281->40283 40284 44df10 ??3@YAXPAX 40281->40284 40282->40281 40285 44df27 40283->40285 40286 44df20 ??3@YAXPAX 40283->40286 40284->40283 40287 44df37 40285->40287 40288 44df30 ??3@YAXPAX 40285->40288 40286->40285 40288->40287 40289 4148b6 FindResourceW 40290 4148cf SizeofResource 40289->40290 40293 4148f9 40289->40293 40291 4148e0 LoadResource 40290->40291 40290->40293 40292 4148ee LockResource 40291->40292 40291->40293 40292->40293 40294 441b3f 40304 43a9f6 40294->40304 40296 441b61 40477 4386af memset 40296->40477 40298 44189a 40299 442bd4 40298->40299 40300 4418e2 40298->40300 40301 4418ea 40299->40301 40479 441409 memset 40299->40479 40300->40301 40478 4414a9 12 API calls 40300->40478 40305 43aa20 40304->40305 40306 43aadf 40304->40306 40305->40306 40307 43aa34 memset 40305->40307 40306->40296 40308 43aa56 40307->40308 40309 43aa4d 40307->40309 40480 43a6e7 40308->40480 40488 42c02e memset 40309->40488 40314 43aad3 40490 4169a7 11 API calls 40314->40490 40315 43aaae 40315->40306 40315->40314 40330 43aae5 40315->40330 40317 43ac18 40319 43ac47 40317->40319 40492 42bbd5 memcpy memcpy memcpy memset memcpy 40317->40492 40320 43aca8 40319->40320 40493 438eed 16 API calls 40319->40493 40324 43acd5 40320->40324 40495 4233ae 11 API calls 40320->40495 40323 43ac87 40494 4233c5 16 API calls 40323->40494 40496 423426 11 API calls 40324->40496 40328 43ace1 40497 439811 163 API calls 40328->40497 40329 43a9f6 161 API calls 40329->40330 40330->40306 40330->40317 40330->40329 40491 439bbb 22 API calls 40330->40491 40332 43acfd 40338 43ad2c 40332->40338 40498 438eed 16 API calls 40332->40498 40334 43ad19 40499 4233c5 16 API calls 40334->40499 40336 43ad58 40500 44081d 163 API calls 40336->40500 40338->40336 40340 43add9 40338->40340 40340->40340 40504 423426 11 API calls 40340->40504 40341 43ae3a memset 40342 43ae73 40341->40342 40505 42e1c0 147 API calls 40342->40505 40343 43adab 40502 438c4e 163 API calls 40343->40502 40345 43ad6c 40345->40306 40345->40343 40501 42370b memset memcpy memset 40345->40501 40347 43ae96 40506 42e1c0 147 API calls 40347->40506 40349 43adcc 40503 440f84 12 API calls 40349->40503 40352 43aea8 40353 43aec1 40352->40353 40507 42e199 147 API calls 40352->40507 40355 43af00 40353->40355 40508 42e1c0 147 API calls 40353->40508 40355->40306 40358 43af1a 40355->40358 40359 43b3d9 40355->40359 40509 438eed 16 API calls 40358->40509 40364 43b3f6 40359->40364 40371 43b4c8 40359->40371 40361 43b60f 40361->40306 40568 4393a5 17 API calls 40361->40568 40362 43af2f 40510 4233c5 16 API calls 40362->40510 40550 432878 12 API calls 40364->40550 40366 43af51 40511 423426 11 API calls 40366->40511 40369 43af7d 40512 423426 11 API calls 40369->40512 40370 43b4f2 40557 43a76c 21 API calls 40370->40557 40371->40370 40556 42bbd5 memcpy memcpy memcpy memset memcpy 40371->40556 40375 43b529 40558 44081d 163 API calls 40375->40558 40376 43b428 40404 43b462 40376->40404 40551 432b60 16 API calls 40376->40551 40377 43af94 40513 423330 11 API calls 40377->40513 40381 43b47e 40384 43b497 40381->40384 40553 42374a memcpy memset memcpy memcpy memcpy 40381->40553 40382 43b544 40392 43b55c 40382->40392 40559 42c02e memset 40382->40559 40383 43afca 40514 423330 11 API calls 40383->40514 40554 4233ae 11 API calls 40384->40554 40389 43afdb 40515 4233ae 11 API calls 40389->40515 40391 43b4b1 40555 423399 11 API calls 40391->40555 40560 43a87a 163 API calls 40392->40560 40394 43b56c 40397 43b58a 40394->40397 40561 423330 11 API calls 40394->40561 40396 43afee 40516 44081d 163 API calls 40396->40516 40562 440f84 12 API calls 40397->40562 40399 43b4c1 40564 42db80 163 API calls 40399->40564 40403 43b592 40563 43a82f 16 API calls 40403->40563 40552 423330 11 API calls 40404->40552 40407 43b5b4 40565 438c4e 163 API calls 40407->40565 40409 43b5cf 40566 42c02e memset 40409->40566 40411 43b005 40411->40306 40416 43b01f 40411->40416 40517 42d836 163 API calls 40411->40517 40412 43b1ef 40527 4233c5 16 API calls 40412->40527 40414 43b212 40528 423330 11 API calls 40414->40528 40416->40412 40525 423330 11 API calls 40416->40525 40526 42d71d 163 API calls 40416->40526 40418 43add4 40418->40361 40567 438f86 16 API calls 40418->40567 40421 43b087 40518 4233ae 11 API calls 40421->40518 40422 43b22a 40529 42ccb5 11 API calls 40422->40529 40425 43b10f 40521 423330 11 API calls 40425->40521 40426 43b23f 40530 4233ae 11 API calls 40426->40530 40428 43b257 40531 4233ae 11 API calls 40428->40531 40432 43b129 40522 4233ae 11 API calls 40432->40522 40433 43b26e 40532 4233ae 11 API calls 40433->40532 40435 43b09a 40435->40425 40519 42cc15 19 API calls 40435->40519 40520 4233ae 11 API calls 40435->40520 40437 43b282 40533 43a87a 163 API calls 40437->40533 40439 43b13c 40523 440f84 12 API calls 40439->40523 40441 43b29d 40534 423330 11 API calls 40441->40534 40444 43b15f 40524 4233ae 11 API calls 40444->40524 40445 43b2af 40447 43b2b8 40445->40447 40448 43b2ce 40445->40448 40535 4233ae 11 API calls 40447->40535 40536 440f84 12 API calls 40448->40536 40451 43b2c9 40538 4233ae 11 API calls 40451->40538 40452 43b2da 40537 42370b memset memcpy memset 40452->40537 40455 43b2f9 40539 423330 11 API calls 40455->40539 40457 43b30b 40540 423330 11 API calls 40457->40540 40459 43b325 40541 423399 11 API calls 40459->40541 40461 43b332 40542 4233ae 11 API calls 40461->40542 40463 43b354 40543 423399 11 API calls 40463->40543 40465 43b364 40544 43a82f 16 API calls 40465->40544 40467 43b370 40545 42db80 163 API calls 40467->40545 40469 43b380 40546 438c4e 163 API calls 40469->40546 40471 43b39e 40547 423399 11 API calls 40471->40547 40473 43b3ae 40548 43a76c 21 API calls 40473->40548 40475 43b3c3 40549 423399 11 API calls 40475->40549 40477->40298 40478->40301 40479->40299 40481 43a6f5 40480->40481 40487 43a765 40480->40487 40481->40487 40569 42a115 40481->40569 40485 43a73d 40486 42a115 147 API calls 40485->40486 40485->40487 40486->40487 40487->40306 40489 4397fd memset 40487->40489 40488->40308 40489->40315 40490->40306 40491->40330 40492->40319 40493->40323 40494->40320 40495->40324 40496->40328 40497->40332 40498->40334 40499->40338 40500->40345 40501->40343 40502->40349 40503->40418 40504->40341 40505->40347 40506->40352 40507->40353 40508->40353 40509->40362 40510->40366 40511->40369 40512->40377 40513->40383 40514->40389 40515->40396 40516->40411 40517->40421 40518->40435 40519->40435 40520->40435 40521->40432 40522->40439 40523->40444 40524->40416 40525->40416 40526->40416 40527->40414 40528->40422 40529->40426 40530->40428 40531->40433 40532->40437 40533->40441 40534->40445 40535->40451 40536->40452 40537->40451 40538->40455 40539->40457 40540->40459 40541->40461 40542->40463 40543->40465 40544->40467 40545->40469 40546->40471 40547->40473 40548->40475 40549->40418 40550->40376 40551->40404 40552->40381 40553->40384 40554->40391 40555->40399 40556->40370 40557->40375 40558->40382 40559->40392 40560->40394 40561->40397 40562->40403 40563->40399 40564->40407 40565->40409 40566->40418 40567->40361 40568->40306 40570 42a175 40569->40570 40572 42a122 40569->40572 40570->40487 40575 42b13b 147 API calls 40570->40575 40572->40570 40573 42a115 147 API calls 40572->40573 40576 43a174 40572->40576 40600 42a0a8 147 API calls 40572->40600 40573->40572 40575->40485 40590 43a196 40576->40590 40591 43a19e 40576->40591 40577 43a306 40577->40590 40613 4388c4 14 API calls 40577->40613 40580 42a115 147 API calls 40580->40591 40581 415a91 memset 40581->40591 40582 43a642 40582->40590 40617 4169a7 11 API calls 40582->40617 40584 4165ff 11 API calls 40584->40591 40586 43a635 40616 42c02e memset 40586->40616 40590->40572 40591->40577 40591->40580 40591->40581 40591->40584 40591->40590 40601 42ff8c 40591->40601 40609 439504 13 API calls 40591->40609 40610 4312d0 147 API calls 40591->40610 40611 42be4c memcpy memcpy memcpy memset memcpy 40591->40611 40612 43a121 11 API calls 40591->40612 40593 4169a7 11 API calls 40594 43a325 40593->40594 40594->40582 40594->40586 40594->40590 40594->40593 40595 42b5b5 memset memcpy 40594->40595 40596 42bf4c 14 API calls 40594->40596 40599 4165ff 11 API calls 40594->40599 40614 42b63e 14 API calls 40594->40614 40615 42bfcf memcpy 40594->40615 40595->40594 40596->40594 40599->40594 40600->40572 40602 43817e 139 API calls 40601->40602 40603 42ff99 40602->40603 40604 42ffe3 40603->40604 40605 42ffd0 40603->40605 40608 42ff9d 40603->40608 40619 4169a7 11 API calls 40604->40619 40618 4169a7 11 API calls 40605->40618 40608->40591 40609->40591 40610->40591 40611->40591 40612->40591 40613->40594 40614->40594 40615->40594 40616->40582 40617->40590 40618->40608 40619->40608 40620 441819 40623 430737 40620->40623 40622 441825 40624 430756 40623->40624 40636 43076d 40623->40636 40625 430774 40624->40625 40626 43075f 40624->40626 40628 43034a memcpy 40625->40628 40644 4169a7 11 API calls 40626->40644 40630 43077e 40628->40630 40629 4307ce 40631 430819 memset 40629->40631 40637 415b2c 40629->40637 40630->40629 40634 4307fa 40630->40634 40630->40636 40631->40636 40633 4307e9 40633->40631 40633->40636 40645 4169a7 11 API calls 40634->40645 40636->40622 40638 415b46 40637->40638 40639 415b42 40637->40639 40638->40633 40639->40638 40640 415b94 40639->40640 40642 415b5a 40639->40642 40641 4438b5 10 API calls 40640->40641 40641->40638 40642->40638 40643 415b79 memcpy 40642->40643 40643->40638 40644->40636 40645->40636 40646 41493c EnumResourceNamesW

                                                                    Executed Functions

                                                                    Function 0040DD85 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 212filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                    • String ID: dllhost.exe$p+v@Fv@Bv$taskhost.exe$taskhostex.exe
                                                                    • API String ID: 708747863-3857311822
                                                                    • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                    • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                    • free.MSVCRT ref: 00418803
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                    • String ID:
                                                                    • API String ID: 1355100292-0
                                                                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                    Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 767404330-0
                                                                    • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                    • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNext
                                                                    • String ID:
                                                                    • API String ID: 1690352074-0
                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041898C
                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystemmemset
                                                                    • String ID:
                                                                    • API String ID: 3558857096-0
                                                                    • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                    • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004455C2
                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 0044570D
                                                                    • memset.MSVCRT ref: 00445725
                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    • memset.MSVCRT ref: 0044573D
                                                                    • memset.MSVCRT ref: 00445755
                                                                    • memset.MSVCRT ref: 004458CB
                                                                    • memset.MSVCRT ref: 004458E3
                                                                    • memset.MSVCRT ref: 0044596E
                                                                    • memset.MSVCRT ref: 00445A10
                                                                    • memset.MSVCRT ref: 00445A28
                                                                    • memset.MSVCRT ref: 00445AC6
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    • memset.MSVCRT ref: 00445B52
                                                                    • memset.MSVCRT ref: 00445B6A
                                                                    • memset.MSVCRT ref: 00445C9B
                                                                    • memset.MSVCRT ref: 00445CB3
                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                    • memset.MSVCRT ref: 00445B82
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                    • memset.MSVCRT ref: 00445986
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                    • API String ID: 1963886904-3798722523
                                                                    • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                    • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                    • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                    • API String ID: 2744995895-28296030
                                                                    • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                    • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                    • memset.MSVCRT ref: 0040B756
                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                    • memset.MSVCRT ref: 0040B851
                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                    • memset.MSVCRT ref: 0040BB53
                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                    • String ID: chp$v10
                                                                    • API String ID: 1297422669-2783969131
                                                                    • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                    • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E49A
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                    • memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                    • API String ID: 3849927982-2252543386
                                                                    • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                    • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                    • String ID:
                                                                    • API String ID: 3715365532-3916222277
                                                                    • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                    • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                    • memset.MSVCRT ref: 00413D7F
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                    • memset.MSVCRT ref: 00413E07
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                    • free.MSVCRT ref: 00413EC1
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                    • API String ID: 1344430650-1740548384
                                                                    • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                    • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                    • String ID: bhv
                                                                    • API String ID: 4234240956-2689659898
                                                                    • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                    • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2941347001-70141382
                                                                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                    • String ID: visited:
                                                                    • API String ID: 2470578098-1702587658
                                                                    • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                    • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E28B
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                    • API String ID: 2804212203-2982631422
                                                                    • Opcode ID: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                    • Opcode Fuzzy Hash: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                    Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                    • String ID: AE$BIN
                                                                    • API String ID: 1668488027-3931574542
                                                                    • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                    • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                    • memset.MSVCRT ref: 0040BC75
                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                    • String ID:
                                                                    • API String ID: 115830560-3916222277
                                                                    • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                    • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                    • free.MSVCRT ref: 0041848B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile$ErrorLastfree
                                                                    • String ID: |A
                                                                    • API String ID: 77810686-1717621600
                                                                    • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                    • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041249C
                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                    • String ID: r!A
                                                                    • API String ID: 2791114272-628097481
                                                                    • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                    • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                    • API String ID: 2936932814-4196376884
                                                                    • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                    • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                    Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A824
                                                                    • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                    • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID: C:\Windows\system32
                                                                    • API String ID: 669240632-2896066436
                                                                    • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                    • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                    • memset.MSVCRT ref: 0040BE91
                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                    • String ID:
                                                                    • API String ID: 697348961-0
                                                                    • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                    • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403CBF
                                                                    • memset.MSVCRT ref: 00403CD4
                                                                    • memset.MSVCRT ref: 00403CE9
                                                                    • memset.MSVCRT ref: 00403CFE
                                                                    • memset.MSVCRT ref: 00403D13
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403DDA
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                    • API String ID: 4039892925-11920434
                                                                    • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                    • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403E50
                                                                    • memset.MSVCRT ref: 00403E65
                                                                    • memset.MSVCRT ref: 00403E7A
                                                                    • memset.MSVCRT ref: 00403E8F
                                                                    • memset.MSVCRT ref: 00403EA4
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403F6B
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                    • API String ID: 4039892925-2068335096
                                                                    • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                    • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403FE1
                                                                    • memset.MSVCRT ref: 00403FF6
                                                                    • memset.MSVCRT ref: 0040400B
                                                                    • memset.MSVCRT ref: 00404020
                                                                    • memset.MSVCRT ref: 00404035
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 004040FC
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                    • API String ID: 4039892925-3369679110
                                                                    • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                    • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                    • API String ID: 3510742995-2641926074
                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 004033B7
                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                    • String ID: $0.@
                                                                    • API String ID: 2758756878-1896041820
                                                                    • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                    • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2941347001-0
                                                                    • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                    • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403C09
                                                                    • memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                    • API String ID: 1534475566-1174173950
                                                                    • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                    • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                    Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                    • memset.MSVCRT ref: 00414C87
                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                    • API String ID: 71295984-2036018995
                                                                    • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                    • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 00414458
                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                    • String ID: "%s"
                                                                    • API String ID: 1343145685-3297466227
                                                                    • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                    • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                    • API String ID: 1714573020-3385500049
                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004087D6
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                    • memset.MSVCRT ref: 00408828
                                                                    • memset.MSVCRT ref: 00408840
                                                                    • memset.MSVCRT ref: 00408858
                                                                    • memset.MSVCRT ref: 00408870
                                                                    • memset.MSVCRT ref: 00408888
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2911713577-0
                                                                    • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                    • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID: @ $SQLite format 3
                                                                    • API String ID: 1475443563-3708268960
                                                                    • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                    • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmpqsort
                                                                    • String ID: /nosort$/sort
                                                                    • API String ID: 1579243037-1578091866
                                                                    • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                    • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040E60F
                                                                    • memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Strings
                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                    • API String ID: 2887208581-2114579845
                                                                    • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                    • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                    • String ID:
                                                                    • API String ID: 3473537107-0
                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(022B0048), ref: 0044DF01
                                                                    • ??3@YAXPAX@Z.MSVCRT(022C0050), ref: 0044DF11
                                                                    • ??3@YAXPAX@Z.MSVCRT(00B06E08), ref: 0044DF21
                                                                    • ??3@YAXPAX@Z.MSVCRT(022C0458), ref: 0044DF31
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                    • API String ID: 2221118986-1725073988
                                                                    • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                    • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@DeleteObject
                                                                    • String ID: r!A
                                                                    • API String ID: 1103273653-628097481
                                                                    • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                    • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID:
                                                                    • API String ID: 1033339047-0
                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$memcmp
                                                                    • String ID: $$8
                                                                    • API String ID: 2808797137-435121686
                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                    Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • duplicate column name: %s, xrefs: 004307FE
                                                                    • too many columns on %s, xrefs: 00430763
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: duplicate column name: %s$too many columns on %s
                                                                    • API String ID: 0-1445880494
                                                                    • Opcode ID: 93b9582cf047c94b57d064edc5564507e5ded9912264045a732c21487ec891bf
                                                                    • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                    • Opcode Fuzzy Hash: 93b9582cf047c94b57d064edc5564507e5ded9912264045a732c21487ec891bf
                                                                    • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                    • String ID:
                                                                    • API String ID: 1979745280-0
                                                                    • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                    • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                    • memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                    • String ID: history.dat$places.sqlite
                                                                    • API String ID: 2641622041-467022611
                                                                    • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                    • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 839530781-0
                                                                    • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                    • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID: *.*$index.dat
                                                                    • API String ID: 1974802433-2863569691
                                                                    • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                    • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FilePointer
                                                                    • String ID:
                                                                    • API String ID: 1156039329-0
                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                    • String ID:
                                                                    • API String ID: 1125800050-0
                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                    • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleSleep
                                                                    • String ID: }A
                                                                    • API String ID: 252777609-2138825249
                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.MSVCRT ref: 00409A10
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                    • free.MSVCRT ref: 00409A31
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: freemallocmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3056473165-0
                                                                    • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                    • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                    Function 00415321 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: realloc
                                                                    • String ID: failed memory resize %u to %u bytes
                                                                    • API String ID: 471065373-2134078882
                                                                    • Opcode ID: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                                                    • Instruction ID: fa0be88ae63bf8e7a0ec1cbb838f3bc130d20eb0a75070b99cf9e4f37552e13a
                                                                    • Opcode Fuzzy Hash: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                                                    • Instruction Fuzzy Hash: 6EF05CB3A01705E7D2109A55DC418CBF3DCDFC0755B06082FF998D3201E168E88083B6
                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d
                                                                    • API String ID: 0-2564639436
                                                                    • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                    • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: BINARY
                                                                    • API String ID: 2221118986-907554435
                                                                    • Opcode ID: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                    • Opcode Fuzzy Hash: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /stext
                                                                    • API String ID: 2081463915-3817206916
                                                                    • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                    • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 2445788494-0
                                                                    • Opcode ID: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                    • Opcode Fuzzy Hash: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                    Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: failed to allocate %u bytes of memory
                                                                    • API String ID: 2803490479-1168259600
                                                                    • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                    • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                    • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                    • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemset
                                                                    • String ID:
                                                                    • API String ID: 1065087418-0
                                                                    • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                    • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                    • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                    • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                    • String ID:
                                                                    • API String ID: 1381354015-0
                                                                    • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                    • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                    Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004301AD
                                                                    • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID:
                                                                    • API String ID: 1297977491-0
                                                                    • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                    • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                    • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                    • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                    • String ID:
                                                                    • API String ID: 2154303073-0
                                                                    • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                    • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3150196962-0
                                                                    • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                    • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 3154509469-0
                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                    • String ID:
                                                                    • API String ID: 4232544981-0
                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FileModuleName
                                                                    • String ID:
                                                                    • API String ID: 3859505661-0
                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                    • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: EnumNamesResource
                                                                    • String ID:
                                                                    • API String ID: 3334572018-0
                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: CloseFind
                                                                    • String ID:
                                                                    • API String ID: 1863332320-0
                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Open
                                                                    • String ID:
                                                                    • API String ID: 71445658-0
                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                    • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004095FC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3655998216-0
                                                                    • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                    • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                    Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                    • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                    • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                    • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00445426
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                    • String ID:
                                                                    • API String ID: 1828521557-0
                                                                    • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                    • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@FilePointermemcpy
                                                                    • String ID:
                                                                    • API String ID: 609303285-0
                                                                    • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                    • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID:
                                                                    • API String ID: 2081463915-0
                                                                    • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                    • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                    • String ID:
                                                                    • API String ID: 2136311172-0
                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@
                                                                    • String ID:
                                                                    • API String ID: 1936579350-0
                                                                    • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                    • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                    Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                    • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                    • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                    • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                    Non-executed Functions

                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                    • free.MSVCRT ref: 00418370
                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                    • String ID: OsError 0x%x (%u)
                                                                    • API String ID: 2360000266-2664311388
                                                                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Version
                                                                    • String ID:
                                                                    • API String ID: 1889659487-0
                                                                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • memset.MSVCRT ref: 0040265F
                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                    • API String ID: 2929817778-1134094380
                                                                    • Opcode ID: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                    • Opcode Fuzzy Hash: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                    • GetDC.USER32 ref: 004140E3
                                                                    • wcslen.MSVCRT ref: 00414123
                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                    • String ID: %s:$EDIT$STATIC
                                                                    • API String ID: 2080319088-3046471546
                                                                    • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                    • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                    • memset.MSVCRT ref: 00413292
                                                                    • memset.MSVCRT ref: 004132B4
                                                                    • memset.MSVCRT ref: 004132CD
                                                                    • memset.MSVCRT ref: 004132E1
                                                                    • memset.MSVCRT ref: 004132FB
                                                                    • memset.MSVCRT ref: 00413310
                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                    • memset.MSVCRT ref: 004133C0
                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                    Strings
                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                    • {Unknown}, xrefs: 004132A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                    • API String ID: 4111938811-1819279800
                                                                    • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                    • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                    • String ID:
                                                                    • API String ID: 829165378-0
                                                                    • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                    • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                    • memset.MSVCRT ref: 00404200
                                                                    • memset.MSVCRT ref: 00404215
                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 0040426E
                                                                    • memset.MSVCRT ref: 004042CD
                                                                    • memset.MSVCRT ref: 004042E2
                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                    • API String ID: 2454223109-1580313836
                                                                    • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                    • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                    Function 0041352F Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 41libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+v@Fv@Bv
                                                                    • API String ID: 667068680-1085305157
                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                    • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                    • API String ID: 4054529287-3175352466
                                                                    • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                    • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                    • API String ID: 2000436516-3842416460
                                                                    • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                    • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                    • String ID:
                                                                    • API String ID: 1043902810-0
                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • memset.MSVCRT ref: 004085CF
                                                                    • memset.MSVCRT ref: 004085F1
                                                                    • memset.MSVCRT ref: 00408606
                                                                    • strcmp.MSVCRT ref: 00408645
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                    • memset.MSVCRT ref: 0040870E
                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID: ---
                                                                    • API String ID: 3437578500-2854292027
                                                                    • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                    • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                    • API String ID: 2081463915-1959339147
                                                                    • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                    • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1700100422-0
                                                                    • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                    • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                    • String ID:
                                                                    • API String ID: 552707033-0
                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                    • strchr.MSVCRT ref: 0040C140
                                                                    • strchr.MSVCRT ref: 0040C151
                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                    • memset.MSVCRT ref: 0040C17A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                    • String ID: 4$h
                                                                    • API String ID: 4066021378-1856150674
                                                                    • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                    • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                    • GetParent.USER32(?), ref: 00406136
                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                    • String ID: A
                                                                    • API String ID: 2892645895-3554254475
                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                    • String ID: 0$6
                                                                    • API String ID: 4066108131-3849865405
                                                                    • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                    • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004082EF
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memset.MSVCRT ref: 00408362
                                                                    • memset.MSVCRT ref: 00408377
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiWide
                                                                    • String ID:
                                                                    • API String ID: 290601579-0
                                                                    • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                    • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A47B
                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                    • String ID: %s (%s)$YV@
                                                                    • API String ID: 3979103747-598926743
                                                                    • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                    • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                    • API String ID: 2780580303-317687271
                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                    • String ID: Unknown Error$netmsg.dll
                                                                    • API String ID: 2767993716-572158859
                                                                    • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                    • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                    • database is already attached, xrefs: 0042F721
                                                                    • out of memory, xrefs: 0042F865
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                    • API String ID: 1297977491-2001300268
                                                                    • Opcode ID: 9fef2143278846cd95885c1cbe03afab34c3f4ef307752a183a19874e6a22e95
                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                    • Opcode Fuzzy Hash: 9fef2143278846cd95885c1cbe03afab34c3f4ef307752a183a19874e6a22e95
                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                    • free.MSVCRT ref: 004185AC
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                    • String ID:
                                                                    • API String ID: 2802642348-0
                                                                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                    • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                    • String ID: strings
                                                                    • API String ID: 3166385802-3030018805
                                                                    • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                    • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                    • memset.MSVCRT ref: 00405455
                                                                    • memset.MSVCRT ref: 0040546C
                                                                    • memset.MSVCRT ref: 00405483
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy$ErrorLast
                                                                    • String ID: 6$\
                                                                    • API String ID: 404372293-1284684873
                                                                    • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                    • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                    • String ID:
                                                                    • API String ID: 1331804452-0
                                                                    • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                    • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                    • String ID: advapi32.dll
                                                                    • API String ID: 2012295524-4050573280
                                                                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                    • <%s>, xrefs: 004100A6
                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf
                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                    • API String ID: 3473751417-2880344631
                                                                    • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                    • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$_snwprintfmemset
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2521778956-791839006
                                                                    • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                    • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfwcscpy
                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                    • API String ID: 999028693-502967061
                                                                    • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                    • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                    • memset.MSVCRT ref: 0040C439
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                    • String ID:
                                                                    • API String ID: 4131475296-0
                                                                    • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                    • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFilefreememset
                                                                    • String ID:
                                                                    • API String ID: 2507021081-0
                                                                    • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                    • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                    • malloc.MSVCRT ref: 00417524
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                    • free.MSVCRT ref: 00417544
                                                                    • free.MSVCRT ref: 00417562
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                    • String ID:
                                                                    • API String ID: 4131324427-0
                                                                    • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                    • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                    • free.MSVCRT ref: 0041822B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: PathTemp$free
                                                                    • String ID: %s\etilqs_$etilqs_
                                                                    • API String ID: 924794160-1420421710
                                                                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                    • API String ID: 3510742995-272990098
                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                    • malloc.MSVCRT ref: 004174BD
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                    • free.MSVCRT ref: 004174E4
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4053608372-0
                                                                    • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                    • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                    • String ID:
                                                                    • API String ID: 4247780290-0
                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                    • memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                    • String ID:
                                                                    • API String ID: 1471605966-0
                                                                    • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                    • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004100FB
                                                                    • memset.MSVCRT ref: 00410112
                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                    • String ID: </%s>
                                                                    • API String ID: 3400436232-259020660
                                                                    • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                    • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D58D
                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                    • String ID: caption
                                                                    • API String ID: 1523050162-4135340389
                                                                    • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                    • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                    • String ID: MS Sans Serif
                                                                    • API String ID: 210187428-168460110
                                                                    • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                    • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040560C
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                    • String ID: *.*$dat$wand.dat
                                                                    • API String ID: 2618321458-1828844352
                                                                    • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                    • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00412057
                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                    • String ID:
                                                                    • API String ID: 3550944819-0
                                                                    • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                    • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.MSVCRT ref: 0040F561
                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$free
                                                                    • String ID: g4@
                                                                    • API String ID: 2888793982-2133833424
                                                                    • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                    • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004144E7
                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                    • memset.MSVCRT ref: 0041451A
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1127616056-0
                                                                    • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                    • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                    • malloc.MSVCRT ref: 00417459
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                    • free.MSVCRT ref: 0041747F
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                    • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                    • RegisterClassW.USER32(00000001), ref: 00412428
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 2678498856-0
                                                                    • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                    • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F673
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                    • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                    • String ID:
                                                                    • API String ID: 764393265-0
                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                    • String ID:
                                                                    • API String ID: 1386444988-0
                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfmemcpy
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2789212964-323797159
                                                                    • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                    • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                    Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                    • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID: MZ@
                                                                    • API String ID: 1378638983-2978689999
                                                                    • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                    • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                    • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                    • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                    • free.MSVCRT ref: 0040B201
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B224
                                                                    • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocwcslen
                                                                    • String ID:
                                                                    • API String ID: 726966127-0
                                                                    • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                    • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                    • free.MSVCRT ref: 0040B0FB
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B12C
                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocstrlen
                                                                    • String ID:
                                                                    • API String ID: 3669619086-0
                                                                    • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                    • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                    • malloc.MSVCRT ref: 00417407
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                    • free.MSVCRT ref: 00417425
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2136442991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000002.00000002.2136442991.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 00000002.00000002.2136442991.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_400000_1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                    • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5